Just came across a belter of an issue with a ridiculously oversized form on a work website.
Background is the page has 200+ item types, each with 2 cost types, with each cost types having 4 tiers. 2x4x200 = 1600 input fields (not including other elements, like submit buttons, hidden fields etc).
I noticed that some of the later elements weren’t saving. In fact, dumping the $_POST to screen showed that they weren’t even making it to the form processing script. They’d just… disappeared.
I knew of a change in PHP 5.3.9 – the addition of
max_input_vars, which allows you to specify the maximum number of elements allowed in a submission (apparently, in order to prevent DOS attacks using hash collisions). But as we’re currently running 5.3.8, it didn’t appear to be that.
Then, after a bit of Googling, it struck me – Suhosin patch. Sure enough, it seems Suhosin was enforcing a limit on the number of form elements that could be submitted in a single form, which makes sense seeing as it’s designed to “harden” PHP. The 2 offending directives are
suhosin.request.max_vars, which are there to limit $_POST and $_GET input variables respectively.
So, if you forsee having more than 1000 elements in a single form, and you’re using the Suhosin patch, you should add the following to you
php.ini file in order to allow it:
max_input_vars = 3000 suhosin.post.max_vars = 3000 suhosin.request.max_vars = 3000
This example sets the limit to 3000. Obviously, you could refine that number to whatever you need.
As far as I know, you can also set
max_input_vars from within your
.htaccess file – though I’m not sure if that’s the case with the Suhosin directives.
1 Response to “PHP max_input_vars, form element limits and the suhosin patch”