Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129334 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 201521A00BC for ; Thu, 20 Nov 2025 15:08:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1763651332; bh=CFBWMp0Qfw21NWu0XNxDytVfs20MNGkdr47EvxR9yOc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=PGOFe+7Ll80IITVfANE8YVucmCD71WgTTq44vKikF0wwYZvzgXs152bZp8/5WNeXn 80PxS+dVOb3WFYwoz2QX0nklOHanopNYh7cUNRMhB+N57GUG4dRkVNjBXpGsKY0aFn WOfyd9ayh10z6DQ3m6YW60SepiFf6xA17ioV7LDMaC8rcDtVxcfiIQ/JAKjwXY9FSK jSteW4IukLhHfb+scczjYPhJ6BrT9Bqhjd/WgfKJIsQAl0+TtBMSNLmy+NKlI/1wWF BdNLnvy3W2tNLpsVW3exhhITRmWgtlPAvMxDUvUStUl3Kg/5wlfYSK69jnZgtjdv48 mmcVa7xQuOe0Q== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id EFBED1805DA for ; Thu, 20 Nov 2025 15:08:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 20 Nov 2025 15:08:51 +0000 (UTC) Received: by mail-lj1-f169.google.com with SMTP id 38308e7fff4ca-37a33f49018so7335041fa.2 for ; Thu, 20 Nov 2025 07:08:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763651325; x=1764256125; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CFBWMp0Qfw21NWu0XNxDytVfs20MNGkdr47EvxR9yOc=; b=CNXOYzb62qo+Z8Fi9VHNFjzHc8UljTmGvQuDklz/vPQeXNKKLMfU5N5fzz0ajBSz+X Ey7aVbbYIUfKtonkDKWWtDE7hNtBgPLepgUKajh8SK6CUOMj/0L1CbPiWbUzIRJMKiV5 i3KVjCcqeICHsoEJP0J2hPVl72YjvNEebRYXbomBpY69zlL2ADilG6WFdAL3Nd4KM6AM Tr3TNc8HCRqX3zDJuUI0mGJzreZR3H9nAaRrYB+Wn0LGXet+EpneLsVcCS0/Xi88YPfA 69vXw90dmGfCoS076beY09xi6OpbNRTmmmpw+FZj1NUWxoF9mUPIvB6va95IDe3HL4DS A7ew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763651325; x=1764256125; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CFBWMp0Qfw21NWu0XNxDytVfs20MNGkdr47EvxR9yOc=; b=uGFl07FoBDtlLhzdzpsuzLQeu6wKmTL843nAq8L37GpSleeg4uEhmtuVN5Y5BcKVcD iFmOvcJZ3ptJPsK923tiuG4w3dGRq13KGqsLoWrNVVU9VT7YtpQDncynzpqax+M6U53t AkeyuaEHt2IOjUvPg7h1+aINw/3zKlyIC5eSf8O5DaOTpzjCE+0wfGgxLX6SrJrqjLsE axuLOZPIettPdJMoQ386L4eR+cxlz9E16Y8S7KQ5yVr/79QI+WIKhc7PwreMGQ5wRNBJ YQQ/Sjd/+Ia32gO5Eqy+a77C7Lf2pTdfXNzyzfkYSw3Z8e1qTDvuIBs51fbr9olmJH2w ZcZw== X-Forwarded-Encrypted: i=1; AJvYcCWQBQYydsgxqPQ8xAqBs/hTaOaEgAHofWzYzK50kJ03cAnhGljFzqkmMkZ6yNfveLdr5ZkrCMJHfQs=@lists.php.net X-Gm-Message-State: AOJu0YxefGaJ1BTdB5WFXg8jAhxjI9XPrjyx2NGlb66v/sSUVtWXToi6 N5GdVbAB41L3K6PPvC2WUi1JBkSzH1J3WKTXrYcGoZVYCWBoRXGsaWG3YR2RpdsFn3WQb2hDyoq gLze7PmN9tOJh7yyBMl7S9Myq3fxwnG0= X-Gm-Gg: ASbGnctgo4oxEjcu+KRMpNNk/s04UmIJJVCluOaOOMU0BLZCnylZpHNZv+GK0wax9lq M32W4X5qUg8nHdjH23umrvU44e7S8rSTphNFzH/Qxpra3L4Hv+V0aAp08SP1zX793+dAuDI4v6x C8/fWYHP2w4VZZldxOY4aYaCCSwDT1RBuPUY2Pymh1i5ufKsKGrsVaMX5vfwU1YNADB9qU/U7Jv aXwC4V6T19BaD45I5lF1kWF2A6xFZ3kyQrBx0zYENwuGIh6Jip0IPChUFNXbW487SJArQ== X-Google-Smtp-Source: AGHT+IEiFgyzIerjIz4iOvrh6/LkIstInwLq/Ti1scOL6tLkZZqPN8vQlptxHqYmMkZshL5YLnwguJ2V1P1/x2DKtXU= X-Received: by 2002:a2e:3614:0:b0:372:8962:d06d with SMTP id 38308e7fff4ca-37cc67afe21mr9809751fa.40.1763651324899; Thu, 20 Nov 2025 07:08:44 -0800 (PST) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 20 Nov 2025 16:08:17 +0100 X-Gm-Features: AWmQ_bl0zaGyiZ6mFUPEVtxBHR8x1pmx4GxJWiNR-tZiZRj1qmG6k83fg5tTP_k Message-ID: Subject: Re: [PHP-DEV] max_input_vars silently truncates input without an error message To: Andrey Andreev Cc: Brady Wetherington , PHP internals Content-Type: multipart/alternative; boundary="000000000000ba760d06440812d7" From: kjarli@gmail.com (Lynn) --000000000000ba760d06440812d7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Nov 20, 2025 at 3:04=E2=80=AFPM Andrey Andreev w= rote: > Hi Brady, > > I agree that E_WARNING is a poor way to handle this limit, and IMO a fata= l > error should be triggered instead. The ability to suppress and ignore is > the root cause of why your situation is possible at all, and Laravel's > behavior in this instance also did you a massive disservice. > > That being said however, this is also an extreme and self-inflicted edge > case. 1k is an absurd number, even 100 input vars should be a sign of poo= r > code logic. I urge you to redesign your solution entirely instead of > looking for a quick workaround. > > Cheers, > Andrey. > Unfortunately I'm no stranger to max input vars. We have increased the limit to 10k because we will frequently hit over 1k. PHP is used for more than just websites. One example is having a range of 20+ shoe sizes with 100+ stores in a single form where you can enter a number per size per store. These forms are not rare in the application my company develops and there's not really another way to deal with this. There's no performance issue here and it works just fine, other than being bitten by an invisible issue that causes data loss. Having a fatal error would certainly help a lot to at least prevent partial data from being processed and potentially causing data corruption. --000000000000ba760d06440812d7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Nov 20,= 2025 at 3:04=E2=80=AFPM Andrey Andreev <narf@devilix.net> wrote:
Hi Brady,
=

I agree that E_WARNING is a poor way to handle this lim= it, and IMO a fatal error should be triggered instead. The ability to suppr= ess and ignore is the root cause of why your situation is possible at all, = and=C2=A0Laravel's behavior in this instance also did you a massive dis= service.

That being said however, this is also an = extreme and self-inflicted edge case. 1k is an absurd number, even 100 inpu= t vars should be a sign of poor code logic. I urge you to redesign your sol= ution entirely instead of looking for a quick workaround.

Cheers,
Andrey.

Un= fortunately I'm no stranger to max input vars. We have increased the li= mit to 10k because we will frequently hit over 1k. PHP is used for more tha= n just websites. One example is having a range of 20+ shoe sizes with 100+ = stores in a single form where you can enter a number per size per store. Th= ese forms are not rare in the application my company develops and there'= ;s not really another way to deal with this. There's no performance iss= ue here and it works just fine, other than being bitten by an invisible iss= ue that causes data loss.

Having a fatal error wou= ld certainly help a lot to at least prevent partial data from being process= ed and potentially causing data corruption.
--000000000000ba760d06440812d7--