Recent Posts
- (09/10) Fixing Warning: the ECDSA host key for 'github.com' differs from the key for the IP addressTAGS:Web Server Admin
- (12/26) CakePHP 3 - Getting List of Column Definitions from a Table (like schema())TAGS:CakephpCake3
- (09/14) Change Order of Loaded Behaviors in CakePHP 3TAGS:Cake3CakephpWeb ProgrammingPhp
- (05/29) CakePHP 3 - Accept JSON Header Only Working When Debug FalseTAGS:Web ProgrammingCakephpCake3
- (05/23) Remove All Events from Google Calendar (Reset Calendar)TAGS:Web ProgrammingPhp
- (11/08) Google Tag Manager (GTM) Not Firing Default PageView EventTAGS:Web ProgrammingJavascriptGoogle Tag Manager
- (10/13) In PHP, how do you get __toString() Magic Method Result without calling echo?TAGS:CakephpCake3Cakephp 13PhpWeb Programming
- (11/14) Getting output from shell_exec() at all timesTAGS:Web ProgrammingWeb Server Admin
Subscribe to my feed
MainelyDesign.com Blog
CakePHP Form Security Blackhole on Large Forms
Posted on 06/28/2012 at 11:11 am by Kevin Wentworth
Viewed 14,806 times | 0 comments
I kept getting the White Screen of Death (WSOD). What we at Saco Design have appropriately named the behavior of the default blackhole Security Component setting. The weird issue was that I was getting the issue only on the live server. I had recently updated the live server's version of PHP to the latest 5.3.x release. However, I neglected to update my local PHP version, which was still 5.3.5.
max_input_vars
I was looking through the php.ini file to see if there were any settings that were set too small. I remembered a setting for max_post_size, and while I was looking for that setting I found max_input_vars! It was set to 1000 by default. Now this form is a admin-only (read: ugly) form to update the ACL permissions for the various groups that are setup on any given Site Avenger installation. Guess what?! It had recently crested the 1000 ACO mark, which meant my form was posting over 1000 variables to PHP.
max_input_vars: Come out, Come out, wherever you are...
You will not find an entry for max_input_vars in the php.ini file (at least for 5.3.15). It's a default setting of 1000, so just add the following line to your php.ini file, if you don't find it:
- max_input_vars = 2000
That's it! For once it wasn't the CakePHP Security component to blame. My thinking is that PHP chopped off the form data at 1000 input vars, which either didn't pass the form token string or made the field count/hash not match what was in the form token.
Cheers,
- Kevin Wentworth
Tags for CakePHP Form Security Blackhole on Large Forms
Cakephp | Cakephp 13 | Web Programming | Php | Web Server Admin | Apache | Upgrade
Comments for this Posting
No comments. Be the first to post a reply.
Sorry, comments are closed for this posting.
Please Email Kevin if you have any questions. Thanks!