php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60707 max_input_vars allows one extra var
Submitted: 2012-01-11 05:15 UTC Modified: -
Votes:4
Avg. Score:2.8 ± 1.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: vrana@php.net Assigned:
Status: Open Package: Variables related
PHP Version: 5.3.9 OS: Irrelevant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: vrana@php.net
New email:
PHP Version: OS:

 

 [2012-01-11 05:15 UTC] vrana@php.net
Description:
------------
Setting max_input_vars to N allows N+1 variables.

Test script:
---------------
<form action="" method="post">
<?php
$max_input_vars = ini_get('max_input_vars');
for ($i=0; $i < $max_input_vars + 2; $i++) {
	echo "<input type='hidden' name='a$i' value='$i'>\n";
}
var_dump($max_input_vars);
var_dump(count($_POST));
?>
<input type="submit">
</form>


Expected result:
----------------
string(4) "1000"
int(1000)


Actual result:
--------------
string(4) "1000"
int(1001)


Patches

fix_bug_60707 (last revision 2014-11-05 22:48 UTC by thuejk at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-11 12:36 UTC] laruence@php.net
max_input_vars is used to protected from ddos attack, IMO it's not a big deal :)
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Sep 29 09:05:52 2022 UTC