Skip to main content

Why is PHP max_input_vars setting needed? [Resolved]

I have a bit weird question. Why is PHP setting max_input_vars needed?

PHP has a memory limit. So even if somebody sends 10M variables, the request will be terminated because of memory shortage.

What are the risks of setting max_input_vars to 1,000,000?


Question Credit: Alex
Question Reference
Asked December 7, 2017
Tags: php.ini
Posted Under: Network
1 Answers

PHP introduced max_input_vars to address a DOS attack by using hash collisions from GET or POST requests.

A good explanation can be found here:
This PDF is also linked in the article above.

credit: Daniel
Answered December 7, 2017
Your Answer