php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60707 max_input_vars allows one extra var
Submitted: 2012-01-11 05:15 UTC Modified: -
Votes:3
Avg. Score:3.0 ± 1.6
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: vrana@php.net Assigned:
Status: Open Package: Variables related
PHP Version: 5.3.9 OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: vrana@php.net
New email:
PHP Version: OS:

 

 [2012-01-11 05:15 UTC] vrana@php.net
Description:
------------
Setting max_input_vars to N allows N+1 variables.

Test script:
---------------
<form action="" method="post">
<?php
$max_input_vars = ini_get('max_input_vars');
for ($i=0; $i < $max_input_vars + 2; $i++) {
	echo "<input type='hidden' name='a$i' value='$i'>\n";
}
var_dump($max_input_vars);
var_dump(count($_POST));
?>
<input type="submit">
</form>


Expected result:
----------------
string(4) "1000"
int(1000)


Actual result:
--------------
string(4) "1000"
int(1001)


Patches

fix_bug_60707 (last revision 2014-11-05 22:48 UTC by thuejk at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-11 12:36 UTC] laruence@php.net
max_input_vars is used to protected from ddos attack, IMO it's not a big deal :)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Nov 14 12:01:36 2019 UTC