Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:129347 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by lists.php.net (Postfix) with ESMTPS id 527901A00BC for ; Thu, 20 Nov 2025 19:13:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1763665986; bh=GHEGMY37w9xrNNljWuyhrNgkjeqZYb4tdmyuSPTGiv8=; h=References:In-Reply-To:From:Date:Subject:Cc:From; b=kb55mIZl/EAUG2LJG4diZ1N9pN09t/JlT0K8pczVnvQiO6P/tTanAxLcwKu4FjwbF sP9fkCMFppyt/UsMyj+/5F49d42uXE/6L2XOpUxZ/562SS1cElNjwkm77jNJLb0j7g sewxHqoBZMh/Osy/hA9UncezSOtChtcFF5LpRbB4NpGRf6vaja3Duwt1ofQTHdfw/i NzHliPy+m8e3Kj6jHSOCIS6bS7G2s5TVOCl5Z3dbVBsHJmhPKqKiyE/GJQ0LBXOdoK qaXv9hs5Iw/nxplLuyvVLnyPP7b9ThyTYxBM1MGVYjBg6LrFWQRC1oCx7917FZ8/nm fpU+j+sYmmegA== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id DC4EB18066D for ; Thu, 20 Nov 2025 19:13:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-25) on php-smtp4.php.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,MISSING_HEADERS, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=4.0.1 X-Spam-Virus: No X-Envelope-From: Received: from mail-ej1-f45.google.com (mail-ej1-f45.google.com [209.85.218.45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 20 Nov 2025 19:12:53 +0000 (UTC) Received: by mail-ej1-f45.google.com with SMTP id a640c23a62f3a-b735487129fso194013266b.0 for ; Thu, 20 Nov 2025 11:12:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=grokability.com; s=google; t=1763665967; x=1764270767; darn=lists.php.net; h=content-transfer-encoding:cc:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=0+voX/RkhDNZJbr/bjaUMB9Cl0+6YQkG11JlQ0ymsz0=; b=LttdEOFiHyV0A45rrCSI7QNEuvbZDam9kCxLsKHvRA+4bF2Eafgvy8yfhdTAei5z9O AtmXpwJ8AFaiNUSSA4IiNTFsvb0fbIaWHOEMPfscKsCf3x8DvnaF8Xmt8LX/uLX+Rhx+ Yr0VOW6fqVr6q+fq2c5MIMi2/IrIEOuVM77bvAdcarqdKQIOn7mlp0jDjbwmQKkmeDc0 CqmH8vh6Jgq4pptypGFucjeTf/mxc6qAH7H6xEg6ngaDF8TLSasqHjXqGJMAQuqdc8ip lh362HEL+9QOymgy0Zqk9FuwY0e4xoyDOrNyDL9eXBR/fxfDptr3Zq8av0bAemSJnAIt odLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763665967; x=1764270767; h=content-transfer-encoding:cc:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=0+voX/RkhDNZJbr/bjaUMB9Cl0+6YQkG11JlQ0ymsz0=; b=Otrj5+YbEPiaofIT7m7edN7DcT+60KSxcNw4IYwhH9ldHN/Q5J+qS2Gj/8n/5xyKyC aoLe238E9EhDNJxIWCCkClBcpzFxwr7dBZTeVDWCaaA2SDtj1LVTcsIYL8s9j1CgAyh3 rDuPjRTZj+WQscNDLkaUdCCJAsVHkSF78OtRwdka+aj8qVDnehqv+08ZLBBYmorRP5Wc tSeIuNz/I/9K3ddkOuDu+ld+LnGNODtSppBwqNxUQWWw/ykAxMebbc23Heq0/OSwZZ0a i+3K9BXrQH8/vEVGn1mGMVREkeGfSyiJFeSQxJZWQDxMXFlG+hrzAYJHavOGY+4YggSc /4pQ== X-Gm-Message-State: AOJu0YxLZRPzHC5UhGDb7qm8W4wUhZpPHtrlBnQv1zIrwyOPgCmzSp4u +50NQn19omw9zeP21A9f2VzaJ5ANTyIkZlxSg8s73Xh9e8Ppoef1SeLZKRxdqdUT1nBPg/ca3Xk puetn75Xo9YMtzJWVspepLdx1QcfePGAA4fa3eDz/Tt853DYVTyZka8NmOg== X-Gm-Gg: ASbGncvx8oWpyf6pI7xs0pqCku/WzH235SK54Y93Hxt8fjV08nh7dZKAA0ZkwiQY5uo f/f18bT0CgcLAz2fKvqGbyJWDoy4a1bj4cTBr01jBtpmk7f+cvkCtnfXet6BQBRcSS43y/eR+wP 0TwhYdW6rKq5hgmr3dkTDsfKKg7ELySC20tohxmcdsWWUhL3bbg6tOC+CFeBvu1jG+A5GWiFJlL 3gC2FMIHv8gw6QeG4UCSyb/iDCkPfGjnC4PQZmGhwNRE/OegyzDiroTV7uQbHofR/Q3WhKU X-Google-Smtp-Source: AGHT+IGyx++SP8Mm3z9vqcPCpjSIeZHc/thXVYxQDZMa3W1aFoP4Ky/rwiI90M8OSA3hsNcMHyI30Qf54Lxt+JfLoGQ= X-Received: by 2002:a17:907:3f17:b0:b71:1164:6a7e with SMTP id a640c23a62f3a-b7654af862cmr58989666b.0.1763665966203; Thu, 20 Nov 2025 11:12:46 -0800 (PST) Precedence: list list-help: list-unsubscribe: list-post: List-Id: x-ms-reactions: disallow MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 20 Nov 2025 19:12:34 +0000 X-Gm-Features: AWmQ_bmvSbnb3UEI9JhhP3aEYIFs5D9-KrTOjKsPLc7s8Xt2OmpLwmLLaFJgW18 Message-ID: Subject: Re: [PHP-DEV] max_input_vars silently truncates input without an error message Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable From: bwetherington@grokability.com (Brady Wetherington) To give you a little more context - I have to support 3 or 4 different versions of PHP, with various differing levels of features being mid-deprecation or emitting warnings. I also have 260 composer dependencies that I am not in direct control of, which might or might not emit their own warnings/errors/etc. If I had warnings emitting, I wouldn't have ever caught it over the noise of everything else that's constantly making noise. I absolutely _did_ used to develop with warnings on, and then run in production without them on, when I was working on software that had one single deployment, and running on one specific version of PHP. But, unfortunately, that's not my situation anymore. (Our software is open-source, and it needs to run on the widest range of PHP versions we can possibly support). And even if we _did_ run with those warnings enabled, I don't think I would've caught it. Because you need to have over ~1000 users in your database to trigger the issue, and I don't have that on my development workstation. We, alas, discovered the issue in _production_, on real customer data - and the production environment does not emit deprecation notices nor warnings nor the like, as you might expect. -B. On Thu, Nov 20, 2025 at 6:17=E2=80=AFPM Julian Somesan = wrote: > > > > On Thu, Nov 20, 2025 at 5:10=E2=80=AFPM Lynn wrote: >> >> >> >> On Thu, Nov 20, 2025 at 3:04=E2=80=AFPM Andrey Andreev wrote: >>> >>> Hi Brady, >>> >>> I agree that E_WARNING is a poor way to handle this limit, and IMO a fa= tal error should be triggered instead. The ability to suppress and ignore i= s the root cause of why your situation is possible at all, and Laravel's be= havior in this instance also did you a massive disservice. >>> >>> That being said however, this is also an extreme and self-inflicted edg= e case. 1k is an absurd number, even 100 input vars should be a sign of poo= r code logic. I urge you to redesign your solution entirely instead of look= ing for a quick workaround. >>> >>> Cheers, >>> Andrey. >> >> >> Unfortunately I'm no stranger to max input vars. We have increased the l= imit to 10k because we will frequently hit over 1k. PHP is used for more th= an just websites. One example is having a range of 20+ shoe sizes with 100+= stores in a single form where you can enter a number per size per store. T= hese forms are not rare in the application my company develops and there's = not really another way to deal with this. There's no performance issue here= and it works just fine, other than being bitten by an invisible issue that= causes data loss. >> >> Having a fatal error would certainly help a lot to at least prevent part= ial data from being processed and potentially causing data corruption. > > > > > Honestly I really do not understand why you call that an " invisible issu= e". > It is emitting a warning all the time, it is your job as a professional = developer to catch all warnings at least in the development phase.