In PHP, how can I detect that input vars were truncated due to max_input_vars being exceeded?

Question

I know that an E_WARNING is generated by PHP

PHP Warning: Unknown: Input variables exceeded 1000

But how can I detect this in my script?

Interesting question, but do you anticipate that you'll ever **really need** an extraordinarily high number of input vars? What's the logic behind your question? Because if you actually *need* ~1000 input vars there's a high probability that you're solving the problem incorrectly. — , Aug 29 '12 at 01:47
You could intercept the warning by creating your own error handler. See http://stackoverflow.com/questions/1241728/can-i-try-catch-a-warning — bumperbox, Aug 29 '12 at 02:00
@rdlowrey This is not public-facing site; it solves a specific business purpose which requires transferring a lot of state from the browser to the server. — Andy, Aug 30 '12 at 01:51
@bumperbox Would this actually work? It seems the Warning is generated *before* the error handler can be set. — Andy, Aug 30 '12 at 01:53
If you use names like `field[15]` to create array entries in `$_REQUEST[]`, the whole array is treated as one input variable. Only as few weeks ago I had to use this to get around the 1000 variable limit. — staticsan, Aug 30 '12 at 02:35
@Andy if this is the case it would likely make much more sense to build up a JSON string client-side and transfer that in the entity body of a request. Like I said, *if you actually need a huge number of input vars, you're probably doing it wrong*. — , Aug 30 '12 at 14:33
And further, if it's "not a public-facing site" you could just up the `max_input_vars` limit as it's only a security feature to help mitigate attacks. Hopefully no one on your internal network plans to launch any DDoS attacks against your site? — , Aug 30 '12 at 14:39
@rdlowrey I didn't ask how to mitigate or redesign to avoid the problem. I asked how to detect it. — Andy, Aug 30 '12 at 18:33
@Andy Which is why I commented with a suggestion and didn't answer. — , Aug 30 '12 at 18:34

score 11 · Accepted Answer · edited Aug 30 '12 at 02:12

11

A "close enough" method would be to check if( count($_POST, COUNT_RECURSIVE) == ini_get("max_input_vars"))

This will cause a false positive if the number of POST vars happens to be exactly on the limit, but considering the default limit is 1000 it's unlikely to ever be a concern.

edited Aug 30 '12 at 02:12

Andy

11,215
5
31
33

answered Aug 29 '12 at 01:55

Niet the Dark Absol

320,036
81
464
592

`$_GET` and `$_COOKIE` are both considered input vars. And both can contain values even if the `$_POST` array is populated. How does this account for those scenarios? – Aug 29 '12 at 02:07
If I understand right, `max_input_vars` applies individually to `$_GET`, `$_POST` and `$_COOKIE` – Niet the Dark Absol Aug 29 '12 at 02:08
I'm not really familiar with the exact behavior for `max_input_vars` in such instances -- which is why I'm asking. It seems like an ugly hack (not your code, the PHP implementation) because the superglobals themselves are an ugly hack. – Aug 29 '12 at 02:11
@Kolink I added COUNT_RECURSIVE to your answer. Seems like it would work to detect the problem. Thanks. – Andy Aug 30 '12 at 01:55
1

That is a lot of work only to find out. Probably PHP needs to be extended if you want to have more control. – hakre Aug 30 '12 at 15:10

score 7 · Answer 2 · edited Mar 27 '17 at 15:27

7

count($_POST, COUNT_RECURSIVE) is not accurate because it counts all nodes in the array tree whereas input_vars are only the terminal nodes. For example, $_POST['a']['b'] = 'c' has 1 input_var but using COUNT_RECURSIVE will return 3.

php://input cannot be used with enctype="multipart/form-data". http://php.net/manual/en/wrappers.php.php

Since this issue only arises with PHP >= 5.3.9, we can use anonymous functions. The following recursively counts the terminals in an array.

function count_terminals($a) {
  return is_array($a)
           ? array_reduce($a, function($carry, $item) {return $carry + count_terminals($item);}, 0)
           : 1;
}

edited Mar 27 '17 at 15:27

Strae

18,807
29
92
131

answered Jan 31 '15 at 13:26

Dan Chadwick

361
3
7

I confirm this is correct in PHP 8.2. Also, the documentation says about max_input_vars "limit is applied to $_GET, $_POST and $_COOKIE superglobal separately" (https://www.php.net/manual/en/info.configuration.php#ini.max-input-vars) – mikl Jul 05 '23 at 22:02

score 4 · Answer 3 · answered Nov 24 '15 at 06:13

What works for me is this. Firstly, I put this at the top of my script/handler/front controller. This is where the error will be saved (or $e0 will be null, which is OK).

$e0 = error_get_last();

Then I run a bunch of other processing, bootstrapping my application, registering plugins, establishing sessions, checking database state - lots of things - that I can accomplish regardless of exceeding this condition.. Then I check this $e0 state. If it's not null, we have an error so I bail out (assume that App is a big class with lots of your magic in it)

if (null != $e0) {
    ob_end_clean(); // Purge the outputted Warning
    App::bail($e0); // Spew the warning in a friendly way
}

Tweak and tune error handlers for your own state.

Registering an error handler won't catch this condition because it exists before your error handler is registered.

Checking input var count to equal the maximum is not reliable.

The above $e0 will be an array, with type => 8, and line => 0; the message will explicitly mention input_vars so you could regex match to create a very narrow condition and ensure positive identification of the specific case.

Also note, according to the PHP specs this is a Warning not an Error.

Thanks, I added something similar and it seems to work perfectly. (somwhere in a filter: $e0 = error_get_last(); if (null != $e0) { Log::error($e0); throw new PostSizeExceededException(); } — buildcomplete, Dec 16 '15 at 23:23

score 1 · Answer 4 · answered Aug 30 '12 at 19:54

function checkMaxInputVars()
{
    $max_input_vars = ini_get('max_input_vars');
    # Value of the configuration option as a string, or an empty string for null values, or FALSE if the configuration option doesn't exist
    if($max_input_vars == FALSE)
        return FALSE;

    $php_input = substr_count(file_get_contents('php://input'), '&');
    $post = count($_POST, COUNT_RECURSIVE);

    echo $php_input, $post, $max_input_vars;

    return $php_input > $post;
}

echo checkMaxInputVars() ? 'POST has been truncated.': 'POST is not truncated.';

score 1 · Answer 5 · answered Feb 06 '14 at 11:16

Call error_get_last() as soon as possible in your script (before you have a chance to cause errors, as they will obscure this one.) In my testing, the max_input_vars warning will be there if applicable.

Here is my test script with max_input_vars set to 100:

<?php
if (($error = error_get_last()) !== null) {
    echo 'got error:';
    var_dump($error);
    return;
}
unset($error);

if (isset($_POST['0'])) {
    echo 'Got ',count($_POST),' vars';
    return;
}
?>
<form method="post">
<?php
for ($i = 0; $i < 200; $i++) {
    echo '<input name="',$i,'" value="foo" type="hidden">';
}
?>
<input type="submit">
</form>

Output when var limit is hit:

got error:
array
  'type' => int 2
  'message' => string 'Unknown: Input variables exceeded 100. To increase the limit change max_input_vars in php.ini.' (length=94)
  'file' => string 'Unknown' (length=7)
  'line' => int 0

Tested on Ubuntu with PHP 5.3.10 and Apache 2.2.22.

I would be hesitant to check explicitly for this error string, for stability (they could change it) and general PHP good practice. I prefer to turn all PHP errors into exceptions, like this (separate subclasses may be overkill, but I like this example because it allows @ error suppression.) It would be a little different coming from error_get_last() but should be pretty easy to adapt.

I don't know if there are other pre-execution errors that could get caught by this method.

Good answer. Turning errors into exceptions wouldn't work for this case though, right? Because the error is raised before the handler is set. If only there was an actual error code like PHP_ERROR_TOO_MANY_INPUT_VARS which could be checked for. — Andy, Feb 06 '14 at 17:02
@Andy You could save the error somewhere and manually pump it into your error handler as it's getting installed, or throw as exception when you're ready. Perhaps matching the string to detect this specific error to be able to handle more gracefully. Looking at the string may not be that bad, as I guess that is the only way to detect specific errors, so presumably PHP wouldn't change the strings. — Joey Hewitt, Feb 06 '14 at 17:59

score 0 · Answer 6 · answered Mar 27 '17 at 15:52

0

What about something like that:

$num_vars = count( explode( '###', http_build_query($array, '', '###') ) );

You can repeat it both for $_POST, $_GET, $_COOKIE, whatever.

Still cant be considered 100% accurate, but I guess it get pretty close to it.

answered Mar 27 '17 at 15:52

Strae

18,807
29
92
131

In PHP, how can I detect that input vars were truncated due to max_input_vars being exceeded?

6 Answers6

Linked