On Wed, Apr 24, 2013 at 5:14 PM, David OBrien <dgobr...@gmail.com> wrote:

> On Wed, Apr 24, 2013 at 5:09 PM, Ken Kixmoeller <phph...@comcast.net>wrote:
>> Hey - --
>> I have a huge screen -- to make it simple for the user, it does 100s of
>> calls to MySQL and has 1,000s (literally) of POST variables.
>> We have done extensive research and see that upgrading from php 5.1.6-27
>> to
>> 5.1.6-39 is the thing that caused it to break. All other issues (Apache,
>> PHP and MySQL configuration and Versions) have been methodically ruled
>> out.
>> Anybody experience this? Heard of it? Suggest a repair (other than
>> changing
>> my screen)?
>> *** Please don't tell me to redesign the screen -- this may come, but now
>> is an urgent situation.***
>> Worked fine in prior versions for the last 3 years.
>> Thanks,
>> Ken
> Looks like they fixed the bug that allowed that to work...
> php-common-5.1.6-32.el5.x86_64<http://linuxsoft.cern.ch/cern/slc5X/x86_64/yum/updates/php-common-5.1.6-32.el5.x86_64.rpm>
>  [153 KiB] *Changelog* by Joe Orton (2012-02-02): - add security fix for
> CVE-2012-0830 (#786756)
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830

*I looked around google some more and found there is a hard limit of 1000
post variables in 5.1.6*

After weeks of using it, a problem was reported about just one function of
the app that would sometimes return a blank screen. It took me hours of
debugging (read: echo) to figure out what's going on, digging through some
old PHP code (fun!): It appeared that only 1000 post variables arrived on
the server. (Well, 1006 actually, but 2 were added by PHP, and that sounded
like a PHP-style limitation of 1000.) A quick google lookup revealed that
PHP introduced a new feature where it would limit the number of post
variables. For safety reasons.

The variable is called "max_input_vars" with a default of 1000. PHP states
that this feature was introduced in 5.3.9, but I'm running 5.1.6 and the
limit is enforced.

Because the server is for production, it was running with on-screen
warnings turned off. PHP says that it "prints a warning and cuts". For me,
that's a real WTF. A post request should be processed as all-or-nothing.
It should instead refuse the request completely. But for a technology named
"personal home page" the priorities are different.

Reply via email to