Skip to main content

Why is PHP max_input_vars setting needed? [Resolved]

I have a bit weird question. Why is PHP setting max_input_vars needed?

PHP has a memory limit. So even if somebody sends 10M variables, the request will be terminated because of memory shortage.

What are the risks of setting max_input_vars to 1,000,000?

Thanks


Question Credit: Alex
Question Reference
Asked December 7, 2017
Tags: php.ini
Posted Under: Network
68 views
1 Answers

PHP introduced max_input_vars to address a DOS attack by using hash collisions from GET or POST requests.

http://lukasmartinelli.ch/web/2014/11/17/php-dos-attack-revisited.html

A good explanation can be found here: https://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
This PDF is also linked in the article above.


credit: Daniel
Answered December 7, 2017
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA