Re: [PHP-DEV] max_input_vars trigger detection

This is only part of a thread. view whole thread
  110105
May 10, 2020 12:34 php@duncanc.co.uk (Craig Duncan)
> > Although not particularly elegant, and it does require you to reject requests that hit but don't exceed the limit, I've used this approach
before: $max = ini_get("max_input_vars") - 1; $check = count($_REQUEST); if ($check > $max) { throw new RequestException("Request is too large, only {$max} input variables are permitted"); }
  110106
May 10, 2020 13:02 david.proweb@gmail.com (David Rodrigues)
Maybe throw an exception by default when it happen. Considering
max_input_vars+1, when hit, throw.

Em dom, 10 de mai de 2020 09:34, Craig Duncan <php@duncanc.co.uk> escreveu:

> > > > Although not particularly elegant, and it does require you to reject > requests that hit but don't exceed the limit, I've used this approach > before: > > > $max = ini_get("max_input_vars") - 1; > $check = count($_REQUEST); > if ($check > $max) { > throw new RequestException("Request is too large, only {$max} input > variables are permitted"); > } >
  110150
May 13, 2020 09:47 come.chilliet@fusiondirectory.org (=?UTF-8?B?Q8O0bWU=?= Chilliet)
Le Sun, 10 May 2020 13:34:12 +0100,
Craig Duncan <php@duncanc.co.uk> a écrit :
> Although not particularly elegant, and it does require you to > reject > requests that hit but don't exceed the limit, I've used this approach > before: > > $max = ini_get("max_input_vars") - 1; > $check = count($_REQUEST); > if ($check > $max) { > throw new RequestException("Request is too large, only {$max} > input variables are permitted"); > }
This is not even correct if I’m not mistaken, as max_input_vars applies independently to GET, POST and COOKIE as I understand it. Here with max_input_vars/2 in GET and POST your exception would throw while the limit was not hit. I know this is a corner case, but it’s just to illustrate it’s hard to detect whether this limit was hit and it would be better in my opinion to have a clean way in core.