Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:129341
X-Original-To: internals@lists.php.net
Delivered-To: internals@lists.php.net
Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5])
	by lists.php.net (Postfix) with ESMTPS id 988071A00FE
	for <internals@lists.php.net>; Thu, 20 Nov 2025 18:17:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail;
	t=1763662637; bh=iJDED/htO9k229JsUUWfM2158AlPa49rRMT56wdkmBs=;
	h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
	b=eK3lqRgSfJ4O6yWpzUVDps1KPPwAevz3Ynx6VSdmfXORI5/DxrJ7+dtSIkjrZMCMN
	 gwK+ia8CQktAhP71zKmI3dyX8zQ1rpOlDAQcCB9aJZNoovl5iaMQiUvC4YthDpAU1R
	 GoJfJDSiFQPFQfR0S0HnAGzo7ja6OqVY6EtjfQD4EDignClkXbOSNJYpr7QP3CSSx+
	 enp+x0bf1pX44xPjcdkARwQuA8N5FSxjBglZoRNWsOfgePP5dQ/JDDQzlcIG05e2pI
	 Xy2YQ+nwLZ8hvIoQ/QY1T1b7Gmfgclb60LDklWKVLSxhPg3lDzHQMdIt77UIqqkxYF
	 8/zTGsWYZUwmw==
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 33603180678
	for <internals@lists.php.net>; Thu, 20 Nov 2025 18:17:15 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=4.0.1
X-Spam-Virus: No
X-Envelope-From: <julian@rospace.com>
Received: from mail-io1-f43.google.com (mail-io1-f43.google.com [209.85.166.43])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 20 Nov 2025 18:17:11 +0000 (UTC)
Received: by mail-io1-f43.google.com with SMTP id ca18e2360f4ac-9490b441c3bso51476739f.0
        for <internals@lists.php.net>; Thu, 20 Nov 2025 10:17:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rospace.com; s=google; t=1763662626; x=1764267426; darn=lists.php.net;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=CVojOVw1wAjuEnNQPc2hygWL3owY0PZXT/uneZ+mGms=;
        b=OvBup9Uy9GBXB7h2tACprRPACc8BFSleGi84HcRxcKoqKWdsmAERQjOiPGj1oarEm8
         GY1N3b4h4+OLrIiZ4TSS6+V+JigBn+1ljSm3CPGmqtllvxZ3f4W+k+PCf0NUftCoqhaz
         w9fzEBRt7o1KfcGOlyuu2R9+RFNUZOw2ltzt7WBspimhjy4YcgeFKhauzkVxEP5V9Oi+
         1xkmMhGqjxA1nS4tCO3lTOlrnAA26wp9iLjocqEBchQJTHhoPZgYM+xRY/BIa6PyrOMv
         R+Ug+CWxn2djrZEd28FnGIB8lQQ8cKndIxhQyOPUUlh0K/1xNGS86qeLuT0rfF2VaAaW
         hngg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763662626; x=1764267426;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=CVojOVw1wAjuEnNQPc2hygWL3owY0PZXT/uneZ+mGms=;
        b=lWfrdPCogxzhebTCSKu22CJ0gUJpcBefWDfvnm23C42pNN5yDlLd9JFiAF9SsbrAp6
         gEQVi0mDXZYg5fU5qCf0fsN1BcGTkAmAgS/VzvCpnAzvG2fdzGuPxM5QKAKikGm/UnRQ
         f4lyFzlmhhp2nEUVu6IFaK2XgrLhq3D0wCshhMeddze2muB+gaVPZS991bd/1Z7Cocyg
         pZCGTAAln2nmDajh4nSP3kQRGjFtIrDXlM4CZ2LFhUA3yaj60orIv9QmSPnftUaL1vnG
         RjKdyVXC8oRa3d6Otax1OfL9wZN+6AC6nLDBFUvAPULimq13uoyNTBC2HuacDKzTVDAY
         4axw==
X-Forwarded-Encrypted: i=1; AJvYcCVqjS14dh4NEvgeOYkrB1H5vCynleoA/jg5tzRCkSPdMNBtOTJ7U9TP9e7FwfRQhI1hWLyPpDkzb/U=@lists.php.net
X-Gm-Message-State: AOJu0YzaYzBNyO3rlBbmXCmzfpFw/dpyIS7kuRmyRQUoIbrMeh8myZVX
	AV4Zc87mO13pUVsMr12/Ijoc50RN3XtfBwzmzEMXLjm+/DlM87YuTEMvtmWQhZbBLHzvAZwqIWo
	TUAMS0LnjkaLtZDjU4W37rCt79DCtzFDZ5xBA1Xkaxg==
X-Gm-Gg: ASbGnctlzgo0YoCfGtYnPsVldsY3H5KIbZMahbFCF+LyL8Xvr2lax0s4c31iLzOui/A
	HHhugLVJ9iMZNpmBsRbjjy3iIFLzI9492ydTeUzHcYWKwys9142NSzjuBtnCi7vKK4Uu2byigJH
	RY+gqPcBtsGJIuspg0xuEPTHzVHpyMIQNwMGGiVQKx2FArgCJHmlf6O48rQFSJwNWfcwfd8A3+U
	4wu60yxZ0uHNeom3JNDdX99gnWvsYCylsJvSkNWYspx3IAZTrqkUjbSp6w6qIn+nwfjGPWPfV9n
	gcJTZMevUZ0oUKbRIptXrI0kqivk
X-Google-Smtp-Source: AGHT+IHO24cvPuftNezEHk6Fdka/OqJz8+DYtT1yNYQYWtJra5dDV1CXtzBJeRJFc2O5w72j+LI48zaKd/EtuGRg9+4=
X-Received: by 2002:a05:6638:981a:b0:5b7:20e9:f89d with SMTP id
 8926c6da1cb9f-5b953fd4b5fmr3370651173.2.1763662626007; Thu, 20 Nov 2025
 10:17:06 -0800 (PST)
Precedence: list
list-help: <mailto:internals+help@lists.php.net>
list-unsubscribe: <mailto:internals+unsubscribe@lists.php.net>
list-post: <mailto:internals@lists.php.net>
List-Id: <internals.lists.php.net>
x-ms-reactions: disallow
MIME-Version: 1.0
References: <CALp5e-_cqZRE2ca_MgJ=B1qp-xxzRbAAvmJ5rLoMqiSvdFG71g@mail.gmail.com>
 <CAPhkiZyREQdZnBTW4jyUh=Vwo1jiurzMOz2Rx4W8=-41tAZO2A@mail.gmail.com> <CANS-=pfKSSp1G1anOxGepMWCTdu1+Qj5yubJtdpfr0Tw=1yc7g@mail.gmail.com>
In-Reply-To: <CANS-=pfKSSp1G1anOxGepMWCTdu1+Qj5yubJtdpfr0Tw=1yc7g@mail.gmail.com>
Date: Thu, 20 Nov 2025 20:16:16 +0200
X-Gm-Features: AWmQ_bkNqMh7mwFTs-po6OTIZXlLulSW4ggfN2iUULgRQDt2UA2EA9bqG65u_UM
Message-ID: <CAAqcZFxkNhmcQ7X7v7qMiW7f6pB5tAbbhUyb-5q+6iPduYDYOA@mail.gmail.com>
Subject: Re: [PHP-DEV] max_input_vars silently truncates input without an
 error message
To: Lynn <kjarli@gmail.com>
Cc: Andrey Andreev <narf@devilix.net>, Brady Wetherington <bwetherington@grokability.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000053c08f06440ab44e"
From: julian@rospace.com (Julian Somesan)

--00000000000053c08f06440ab44e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Thu, Nov 20, 2025 at 5:10=E2=80=AFPM Lynn <kjarli@gmail.com> wrote:

>
>
> On Thu, Nov 20, 2025 at 3:04=E2=80=AFPM Andrey Andreev <narf@devilix.net>=
 wrote:
>
>> Hi Brady,
>>
>> I agree that E_WARNING is a poor way to handle this limit, and IMO a
>> fatal error should be triggered instead. The ability to suppress and ign=
ore
>> is the root cause of why your situation is possible at all, and Laravel'=
s
>> behavior in this instance also did you a massive disservice.
>>
>> That being said however, this is also an extreme and self-inflicted edge
>> case. 1k is an absurd number, even 100 input vars should be a sign of po=
or
>> code logic. I urge you to redesign your solution entirely instead of
>> looking for a quick workaround.
>>
>> Cheers,
>> Andrey.
>>
>
> Unfortunately I'm no stranger to max input vars. We have increased the
> limit to 10k because we will frequently hit over 1k. PHP is used for more
> than just websites. One example is having a range of 20+ shoe sizes with
> 100+ stores in a single form where you can enter a number per size per
> store. These forms are not rare in the application my company develops an=
d
> there's not really another way to deal with this. There's no performance
> issue here and it works just fine, other than being bitten by an invisibl=
e
> issue that causes data loss.
>
> Having a fatal error would certainly help a lot to at least prevent
> partial data from being processed and potentially causing data corruption=
.
>



Honestly I really do not understand why you call that an " invisible issue"=
.
It  is emitting a warning all the time, it is your job as a professional
developer to catch all warnings at least in the development phase.

--00000000000053c08f06440ab44e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote g=
mail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Nov 20,=
 2025 at 5:10=E2=80=AFPM Lynn &lt;<a href=3D"mailto:kjarli@gmail.com">kjarl=
i@gmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gm=
ail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Nov 20, 2025 at 3:=
04=E2=80=AFPM Andrey Andreev &lt;<a href=3D"mailto:narf@devilix.net" target=
=3D"_blank">narf@devilix.net</a>&gt; wrote:<br></div><blockquote class=3D"g=
mail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204=
,204,204);padding-left:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div>Hi Brady=
,</div><div><br></div><div>I agree that E_WARNING is a poor way to handle t=
his limit, and IMO a fatal error should be triggered instead. The ability t=
o suppress and ignore is the root cause of why your situation is possible a=
t all, and=C2=A0Laravel&#39;s behavior in this instance also did you a mass=
ive disservice.</div><div><br></div><div>That being said however, this is a=
lso an extreme and self-inflicted edge case. 1k is an absurd number, even 1=
00 input vars should be a sign of poor code logic. I urge you to redesign y=
our solution entirely instead of looking for a quick workaround.</div><br><=
/div><div>Cheers,</div><div>Andrey.</div></div></blockquote><div><br></div>=
<div>Unfortunately I&#39;m no stranger to max input vars. We have increased=
 the limit to 10k because we will frequently hit over 1k. PHP is used for m=
ore than just websites. One example is having a range of 20+ shoe sizes wit=
h 100+ stores in a single form where you can enter a number per size per st=
ore. These forms are not rare in the application my company develops and th=
ere&#39;s not really another way to deal with this. There&#39;s no performa=
nce issue here and it works just fine, other than being bitten by an invisi=
ble issue that causes data loss.</div><div><br></div><div>Having a fatal er=
ror would certainly help a lot to at least prevent partial data from being =
processed and potentially causing data corruption.</div></div></div></block=
quote><div><br></div><div><br></div><div><br></div><div>Honestly I really d=
o not understand why you call that an &quot; invisible issue&quot;.</div><d=
iv>It=C2=A0 is emitting=C2=A0a warning all the time, it is your job as a pr=
ofessional developer to catch all warnings at least in the development phas=
e.=C2=A0</div></div></div>

--00000000000053c08f06440ab44e--