1
irmtfan
max_input_vars exceeded 1000
  • 2012/11/14 13:02

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


Some people report a weird error in newbb.
in newbb/admin/admin_permissions.php after click on submit they return to XOOPS_URL/index.php and it said "Sorry, you don't have the permission to access this area"

I finally could find the root of this issue.
it is because of max_input_vars php config.
if you go to modules/system/admin you can find this error:
PHP WarningUnknownInput variables exceeded 1000. To increase the limit change max_input_vars in php.ini


Quote:

How many input variables may be accepted. Use of this directive mitigates the possibility of denial of service attacks which use hash collisions. If there are more input variables than specified by this directive, an E_WARNING is issued, and further input variables are truncated from the request. This limit applies only to each nesting level of a multi-dimensional input array.



you can see "further input variables are truncated from the request"

so it truncate some data from $_POST and $_GET and finally the modid is set to 0 and you have that error.

i tried to increase max_input_vars bu this:
@ini_set'max_input_vars'10000 );


but failed. it is still set to 1000.
what should we do?

2
Mamba
Re: max_input_vars exceeded 1000
  • 2012/11/14 13:10

  • Mamba

  • Moderator

  • Posts: 11253

  • Since: 2004/4/23


Do you have Suhosin?

See here:

Quote:
It was suhosin. The parameters:

suhosin.get.max_vars
suhosin.post.max_vars
suhosin.request.max_vars

overwrite max_input_vars in php.ini.


See also here

------------------------------------

There is also another entry that might be more relevant to you:

Quote:
max_input_vars has a changeable mode of PHP_INI_PERDIR meaning it can't be changed using ini_set (only in php.ini, .htaccess or httpd.conf)
Support XOOPS => DONATE
Use 2.5.10 | Docs | Modules | Bugs

3
irmtfan
Re: max_input_vars exceeded 1000
  • 2012/11/15 4:51

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


Bingo,
Thank you Mamba I didnt try much yesterday because i dont have time.
This is a very old problem that many newbb users reported in this forum.
a recent one is this post:
https://xoops.org/modules/newbb/viewtopic.php?post_id=349853

Even you confirmed that you have this issue in xoops.org.

Note that only websites with large number of "forums" (eg 50) and/or large number of groups ( eg: 20) may counter this issue.

I tried .htaccess but get a 500 error.
but creating a php.ini in the root works fine.
max_input_vars 10000


I will add this important finding to newbb/docs/readme.txt in FAQ

Edit:
I still have 500 Error in some pages like newbb/viewpost.php after adding php.ini
am i doing something wrong?

4
redheadedrod
Re: max_input_vars exceeded 1000

My initial thought when reading this is that a programmer, either from the beginning, or somewhere along the way decided to dynamically create variables to store information about the forums instead of using a multi dimensional table.

As I understand it this is bad programming practice. There is more over head creating a new variable than there is making one multi dimensional. There is NO WAY you should reach 1000 variables using normal good programming practices.

This program sounds like it is in need of making use of OOP code.




5
irmtfan
Re: max_input_vars exceeded 1000
  • 2012/11/16 3:42

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


Quote:

There is NO WAY you should reach 1000 variables using normal good programming practices.

I should explain more.
It is not a newbb issue. newbb use "XoopsGroupPermForm" class located in XOOPS_ROOT_PATH/class/xoopsform/grouppermform.php

But reaching to 1000 input variables is not impossible. there are some situations when your input variables reach 1000.
for example in newbb when you have 50 forums/categories and 20 groups and 20*50 =1000
these situations are rare in other modules but if you have for example 100 news category and 10 groups you certainly encounter this issue in news module too.
Also the above numbers are estimated.
In reality you exceed 1000 when forums*groups number is less than 1000 because there are some other $_POST variables like "modid"

I still dount count all $_POST variables in my specific situation.

another note:
in newbb you have another way to set permissions by template.

you will encounter this issue only when you want to "Set permission directly by group" which is not easy and not recommended when you have many forums and groups.


6
redheadedrod
Re: max_input_vars exceeded 1000

Still sounds crazy to me unless it is a xoops issue.

I will keep this in mind though if I ever dig into this module.



7
irmtfan
Re: max_input_vars exceeded 1000
  • 2012/11/18 4:36

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


Maybe we can reduce $_POSTS in xoops core classes.
but if you search in google you can see it is general issue in big forums even in professional forums like VB.



Login

Who's Online

61 user(s) are online (31 user(s) are browsing Support Forums)


Members: 0


Guests: 61


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Aug 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits