2MB is probably too low and it can be set at something like 20MB, but from my understanding setting it low enough will help prevent DoS attacks.
If we change it to something larger, I'm not sure exactly what would be the effect of changing this default for mass-hosting providers where they can have thousands of Wordpress/Drupal/etc. setups on a single node. Changing from 2MB to 20MB for all requests may have quite an effect if there is an attack. Surely all those providers have teams dedicated to setting the right limit, but that shouldn't stop us from using a safe default. What is unpractical with upload_max_filesize and post_max_size though is that we can't set the limit for each script, because it affects how PHP is parsing the POST body before the script is even parsed. Unless at one point we provide some kind of option to set ini literals from within a script file before the request is processed (eg. declare(post_max_size=256M) or something like that), the only option is to use the web server to change the setting. That way most endpoints will benefit from a low limit, and only the targeted scripts or directories will have a higher limit. For example with Apache something like that will only change the limit for the parts of the admin where it's needed, and when the HTTP client has a cookie: <If "%{REQUEST_URI} =~ m!^/admin/(files|images)/! && -n %{HTTP_COOKIE}"> php_value post_max_size 256M php_value upload_max_filesize 256M </If> I commented with this snippet on relevant documentation pages, hopefully it will help people looking for that kind of info to do something a bit better than to set this limit for the whole server. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php