|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #60728 max_input_vars doesn't limiting multi-dimensional arrays
Submitted: 2012-01-12 14:14 UTC Modified: 2012-01-21 23:09 UTC
From: sv3tli0 at bgspot dot eu Assigned: frozenfire (profile)
Status: Closed Package: Variables related
PHP Version: 5.3.9 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
5 + 31 = ?
Subscribe to this entry?

 [2012-01-12 14:14 UTC] sv3tli0 at bgspot dot eu
The max_input_vars doesn't limiting multi-dimensional arrays!
If user post var[] the uploaded array wont be limitted.

Test script:
<form action="" method="post">
$max_input_vars = ini_get('max_input_vars');
for ($i=0; $i < $max_input_vars + 5; $i++) {
	echo "<input type='hidden' name='a[]' value='$i'>\n";
<input type="submit">

Expected result:
string(4) "1000"

Actual result:
string(4) "1000"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-01-12 14:16 UTC] sv3tli0 at bgspot dot eu
I have one miss at the test code! 
must be :
 [2012-01-12 17:34 UTC]
The limit is per-nesting level actually because it is protecting against a hash-
collision DoS attack and only elements at the same nesting level can collide. So 
the code is fine, the documentation needs to be clearer.
 [2012-01-12 17:34 UTC]
-Type: Security +Type: Documentation Problem
 [2012-01-21 23:09 UTC]
Automatic comment from SVN on behalf of frozenfire
Log: Rewrote max_input_vars directive description for clarity, and indicated that this limit applies only to each nesting level of a multidimensional input array. Closes bug #60728.
 [2012-01-21 23:09 UTC]
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

 [2012-01-21 23:09 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: frozenfire
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Oct 23 02:03:34 2021 UTC