Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129343 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 3CCBF1A00BC for ; Thu, 20 Nov 2025 18:51:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1763664708; bh=/qQJu0qOYnI9etlRpjr5wNGbJzvJxH1VTfNO6muIfYo=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=dUlNqRBoDfgRERvLHMuFNjigmfN4MJYIGhecoEXYK4yRbtxIWTc0DsHoB5ap07xan p4cDnhlagWshNabYZWUsAy0iF2tBTd2R99T7nWiUD+Io1xLFYU/B15b06XXUsFBqOd tTrNcLbD4wdThHgtV9IC2KETLBQ34tCtflH9fGGDEaXDGUSFR3/n1HJh+S5KDIzoWZ ZlV4uz0ePQ0sn3IrVnKH4BL1zdfcIyR2u01LyN3fMH6bi8hjmWsSgxI+0DlNm9iyZJ HABZi7j1klfE2hJJ064ByPuDJPqzaX43yS9ZRGqGH734vT9v2t+gXHh7tGuDxmLtrD vdxD5vgXdsMWw== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id E59721807B3 for ; Thu, 20 Nov 2025 18:51:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f171.google.com (mail-lj1-f171.google.com [209.85.208.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 20 Nov 2025 18:51:47 +0000 (UTC) Received: by mail-lj1-f171.google.com with SMTP id 38308e7fff4ca-37a4e329a90so10696271fa.0 for ; Thu, 20 Nov 2025 10:51:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763664701; x=1764269501; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nB6bWhXTO7mwkGxK/xBZPpkbxHBMzNZGBeytua3gaJ0=; b=Pz6yfh06LSYzS9B2TjhCWEdTg47GZAfhMYwBJ0cfWKAwdkV1b2Vql24dfW3fSHIbtW i0cQKc6hyEER5rju2VGrS//iPKmgqjJmLDZisYfIiHBo3aWtc1b3odrLzhiMC4NKub9m cm2PUoeNPpRwMqTb8OxYXAROlVIegc3cQ2/YYdo3AXgmd8tp7/7NRs6ce8gWbGnl23wh LruRoCc/HE19/newmS4Xa0aQwhf+tE1De76oMraVAJBCaMLQNGmZRgDHWb+saw3BeApN QrjOsHo/g5JmO1Vl8pxI5NiFEV2RcucLPNwT4UNNk/1+jQXYfTw3hmilTeza3PJIed4g kA9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763664701; x=1764269501; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nB6bWhXTO7mwkGxK/xBZPpkbxHBMzNZGBeytua3gaJ0=; b=KX6EGIsQHpJW9Gg0VurIdeQVe9DdVOyREg049XfUNbGqEUiJoPDJuTYJDq3p+0g6C4 XhfudW73XSPX2cZQ7eq9RAWhmBJCvWdvYzFiLwCv2R+ndci6uwkUuWSuSw4IuLXa03f9 DHkKt5axjLYGitVZs2kNvZ12K6ZHxmgV/y8FYIcF5rquwSasG6GzR6Ttwb3dZDelI/Kj QCNpLoXl7tUcsGi/Tpu5WCGF3UHYag+fcSXy7TZAQP3cGbhlVYip0N41dkg4M9vWd/kx Gg4cr6QjPm535JFsf52jh+ola89a0nimipPpInkGKwzMvTVElutuZw3pMT0ZF2k525jd OgPA== X-Forwarded-Encrypted: i=1; AJvYcCWhv+EpgysYH8wBhjEv0UxtW5W8YyeGdNZncKuEpwy91Hj7CjYhTBiCQl3IPC095fYbBb+ppX24eYY=@lists.php.net X-Gm-Message-State: AOJu0Yz2JKkIUk3J48c9wA+UqrZSF3FUUMHdits2oTtvAQ/sihagmXCy x2q048hrREgTiaMOH0GgYzhjUR2dq+p5M5e7W9+YPe3uf11vPW8Bp6WJBU8IJ9W96/KThg18OD3 bqV0fE6Pbr3RESrFXa5maSak+u5tKT84LSw== X-Gm-Gg: ASbGnctacH8c3RXJfY5nIsHs6uN6n+wvQ0fTkNH2sSMcu8aYvv4mQobjwXEYx1/TcWu BEZS/thgrah78slroktSxHE2tZsSjCYdTtu5i75D+9Lj0Qez8JCv3xwQhi1pFdkd51qtEuDwgv5 Tm3KkaTDWCJgZ57MoFc9etm7H+MGXfUYSlqE3O25kU62wYWw4OBmALDD8yfwmCS65IFphygJYJc WI7YshdgiwpxoTDrBtIfSspBHR2KMyxhq2nBU9QIj74wEyN6RPbDHB4k/bri0IIt+/lA0aExsU2 ZMhrn33BQVhotAGZXnuJyCiofA== X-Google-Smtp-Source: AGHT+IGK5fXIDHbRxTqFM0Ez/kDAdAGn8WmaFRLZiW8zxd9YBYGeNed3HoR6OedyGh0qx5RQSt+zBTZcEgntRNe3zZw= X-Received: by 2002:a05:651c:3057:b0:373:a3e2:b907 with SMTP id 38308e7fff4ca-37cd6b55531mr993861fa.10.1763664700800; Thu, 20 Nov 2025 10:51:40 -0800 (PST) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 20 Nov 2025 19:51:15 +0100 X-Gm-Features: AWmQ_bnlv0B7xvFUI8QvsIzOTXAgJNFOxS310sS1kyMV-TBF8j06zRBkU-V5Cxs Message-ID: Subject: Re: [PHP-DEV] max_input_vars silently truncates input without an error message To: Julian Somesan Cc: Andrey Andreev , Brady Wetherington , PHP internals Content-Type: multipart/alternative; boundary="000000000000fe876d06440b2fbb" From: kjarli@gmail.com (Lynn) --000000000000fe876d06440b2fbb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Nov 20, 2025 at 7:17=E2=80=AFPM Julian Somesan = wrote: > > > On Thu, Nov 20, 2025 at 5:10=E2=80=AFPM Lynn wrote: > >> >> >> On Thu, Nov 20, 2025 at 3:04=E2=80=AFPM Andrey Andreev wrote: >> >>> Hi Brady, >>> >>> I agree that E_WARNING is a poor way to handle this limit, and IMO a >>> fatal error should be triggered instead. The ability to suppress and ig= nore >>> is the root cause of why your situation is possible at all, and Laravel= 's >>> behavior in this instance also did you a massive disservice. >>> >>> That being said however, this is also an extreme and self-inflicted edg= e >>> case. 1k is an absurd number, even 100 input vars should be a sign of p= oor >>> code logic. I urge you to redesign your solution entirely instead of >>> looking for a quick workaround. >>> >>> Cheers, >>> Andrey. >>> >> >> Unfortunately I'm no stranger to max input vars. We have increased the >> limit to 10k because we will frequently hit over 1k. PHP is used for mor= e >> than just websites. One example is having a range of 20+ shoe sizes with >> 100+ stores in a single form where you can enter a number per size per >> store. These forms are not rare in the application my company develops a= nd >> there's not really another way to deal with this. There's no performance >> issue here and it works just fine, other than being bitten by an invisib= le >> issue that causes data loss. >> >> Having a fatal error would certainly help a lot to at least prevent >> partial data from being processed and potentially causing data corruptio= n. >> > > > > Honestly I really do not understand why you call that an " invisible > issue". > It is emitting a warning all the time, it is your job as a professional > developer to catch all warnings at least in the development phase. > I can't think of every single possible combination in development, this is all based on tenants and their setup. That said, a ton of this is also code that was written way before I started working here (20 years+), and we're talking a million+ lines of code. This warning disappears between millions of log lines in production. I would rather have a customer call us with an error than the issue silently dodging detection. I'm not looking for your approval or anything, just explaining that this can pose a real issue no matter how hard you try to do it the right way. --000000000000fe876d06440b2fbb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Thu, Nov 20,= 2025 at 7:17=E2=80=AFPM Julian Somesan <julian@rospace.com> wrote:


On Thu, Nov = 20, 2025 at 5:10=E2=80=AFPM Lynn <kjarli@gmail.com> wrote:


On T= hu, Nov 20, 2025 at 3:04=E2=80=AFPM Andrey Andreev <narf@devilix.net> wrote:
=
Hi Brady,

I agree that E_WARNING is = a poor way to handle this limit, and IMO a fatal error should be triggered = instead. The ability to suppress and ignore is the root cause of why your s= ituation is possible at all, and=C2=A0Laravel's behavior in this instan= ce also did you a massive disservice.

That being s= aid however, this is also an extreme and self-inflicted edge case. 1k is an= absurd number, even 100 input vars should be a sign of poor code logic. I = urge you to redesign your solution entirely instead of looking for a quick = workaround.

Cheers,
Andrey.

Unfortunately I'm no stranger to max input v= ars. We have increased the limit to 10k because we will frequently hit over= 1k. PHP is used for more than just websites. One example is having a range= of 20+ shoe sizes with 100+ stores in a single form where you can enter a = number per size per store. These forms are not rare in the application my c= ompany develops and there's not really another way to deal with this. T= here's no performance issue here and it works just fine, other than bei= ng bitten by an invisible issue that causes data loss.

=
Having a fatal error would certainly help a lot to at least prevent pa= rtial data from being processed and potentially causing data corruption.



Honestly I really do not understand why you call that an " invisibl= e issue".
It=C2=A0 is emitting=C2=A0a warning all the time, = it is your job as a professional developer to catch all warnings at least i= n the development phase.=C2=A0

I can't think of every single possible combination in development= , this is all based on tenants and their setup. That said, a ton of this is= also code that was written way before I started working here (20 years+), = and we're talking a million+ lines of code. This warning disappears bet= ween millions of log lines in production. I would rather have a customer ca= ll us with an error than the issue silently dodging detection. I'm not = looking for your approval or anything, just explaining that this can pose a= real issue no matter how hard you try to do it the right way.
<= /div> --000000000000fe876d06440b2fbb--