- (11/14) Getting output from shell_exec() at all timesTAGS:Web ProgrammingWeb Server Admin
- (06/12) View Layer - Getting count of Entities in View in Cakephp 3TAGS:CakephpCake3
- (05/23) Changing URL in beforeRedirect() in Component - Cakephp 3TAGS:CakephpCake3Web Programming
- (01/28) Foundation CSS Framework ResourcesTAGS:FoundationCss
- (01/27) Change View File from Controller in CakePHP 3TAGS:CakephpCake3UsageWeb Programming
- (01/13) Loading Model/Table Anywhere in Cake3TAGS:Cake3Cakephp
- (10/06) CURL PHP 5.5 Issue on Windows (Using Twilio SDK)
Subscribe to my feed
CakePHP Form Security Blackhole on Large Forms
Posted on 06/28/2012 at 11:11 am by Kevin Wentworth
Viewed 9,810 times | 0 comments
I kept getting the White Screen of Death (WSOD). What we at Saco Design have appropriately named the behavior of the default blackhole Security Component setting. The weird issue was that I was getting the issue only on the live server. I had recently updated the live server's version of PHP to the latest 5.3.x release. However, I neglected to update my local PHP version, which was still 5.3.5.
I was looking through the php.ini file to see if there were any settings that were set too small. I remembered a setting for max_post_size, and while I was looking for that setting I found max_input_vars! It was set to 1000 by default. Now this form is a admin-only (read: ugly) form to update the ACL permissions for the various groups that are setup on any given Site Avenger installation. Guess what?! It had recently crested the 1000 ACO mark, which meant my form was posting over 1000 variables to PHP.
max_input_vars: Come out, Come out, wherever you are...
You will not find an entry for max_input_vars in the php.ini file (at least for 5.3.15). It's a default setting of 1000, so just add the following line to your php.ini file, if you don't find it:
- max_input_vars = 2000
That's it! For once it wasn't the CakePHP Security component to blame. My thinking is that PHP chopped off the form data at 1000 input vars, which either didn't pass the form token string or made the field count/hash not match what was in the form token.
- Kevin Wentworth