0

So my client has this old order portal that allows users to put in an order amount per material, and submit that order. My error log was tossing out a warning PHP Warning: Unknown: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini.

So I decided to var_dump() my $_REQUEST variable when the user hits the submit button.

Hilarity ensued when I found that not only did my $_REQUEST variable contain the materials a user put an amount input for, but also the HUNDREDS of other materials with no order amount/quantity.

array(1001) { ["CSRFToken"]=> string(69) "nice" ["submitbutton"]=> string(12) "Submit Order" ["material1006360"]=> string(1) "1" ["material1875"]=> string(1) "1" ["material1000987"]=> string(1) "0" ["material8800"]=> string(1) "0" ["material8703"]=> string(1) "0" ["material8799"]=> string(1) "0"...

And this literally goes on for a few hundred materials. What's even weirder is we actually have a nice little cart that auto generates at the top of the page once you put a quantity in. So obviously a variable is getting created and updated for the cart, so it is odd that the cart isn't getting passed, but rather the whole page of materials.

I suppose my question is, how do I control exactly what vars are getting submitted by the user? How can I make $_REQUEST contain a lot less junk data?

I have a high level conceptual understanding of it, but as you can tell, I don't know where exactly to look for when/where/how this data is getting submitted by the user. I'm still sort of new to this, and I'm honestly not sure if this is all done by PHP, or if the JS has anything to do with it either.

I could really use some wisdom with this, because I'm sure data submission from a user input will be a common occurrence in my future web dev journey.

edit: The page seems to be using a list of elements using vanilla HTML input forms: <input type="number" class="quantity form-control" name="material1006360" id="material1006360" value="0" style="user-select: auto;">

So each material has an input form like that, and upon submission just runs through every single form.

edit 2: So upon investigation, my entire material list consists of every material input in ONE form. So upon submission for that form, it reads hundreds of empty material inputs. I then tried to disable the input element, and ran the `var_dump($_REQUEST). To my surprise, it did actually clear the submitted var. I found this awesome post here: Event on a disabled input That had a great discussion on disabling input. My idea is to have the input have an on-click event listener that will trigger them active. It's not perfect, but should make my submission vars much cleaner.

Powermaster Prime
  • 402
  • 1
  • 2
  • 16
  • Add some code, so we can have a look. – Grumpy Mar 09 '22 at 19:31
  • 1
    It sounds like the order input screen has all potential items and they enter values in a the fields they want, right? But maybe it's using a vanilla HTML submit form so it has all those inputs with no value. You could go to the form and update it to have an `onsubmit` JavaScript method and use that method to build the same shaped post but with all of the fields with no items entered not present. Use your browser network tools to observe the shape of the data sent server-side and replicate (but with the fields you don't want/need omitted of course). – Cymen Mar 09 '22 at 19:31
  • Yup, I just dug through each material quantity input field, and they all seem to be vanilla HTML: `` – Powermaster Prime Mar 09 '22 at 19:55

0 Answers0