MainelyDesign.com Blog

CakePHP Form Security Blackhole on Large Forms

Posted on 06/28/2012 at 11:11 am by Kevin Wentworth
Viewed 14,839 times | 0 comments

I kept getting the White Screen of Death (WSOD).  What we at Saco Design have appropriately named the behavior of the default blackhole Security Component setting.  The weird issue was that I was getting the issue only on the live server.  I had recently updated the live server's version of PHP to the latest 5.3.x release.  However, I neglected to update my local PHP version, which was still 5.3.5. 

max_input_vars

I was looking through the php.ini file to see if there were any settings that were set too small.  I remembered a setting for max_post_size, and while I was looking for that setting I found max_input_vars!  It was set to 1000 by default.  Now this form is a admin-only (read: ugly) form to update the ACL permissions for the various groups that are setup on any given Site Avenger installation.  Guess what?!  It had recently crested the 1000 ACO mark, which meant my form was posting over 1000 variables to PHP.

max_input_vars: Come out, Come out, wherever you are...

You will not find an entry for max_input_vars in the php.ini file (at least for 5.3.15).  It's a default setting of 1000, so just add the following line to your php.ini file, if you don't find it:

That's it!  For once it wasn't the CakePHP Security component to blame.  My thinking is that PHP chopped off the form data at 1000 input vars, which either didn't pass the form token string or made the field count/hash not match what was in the form token. 

Cheers,

- Kevin Wentworth