Max Input Vars in php.ini between performance and security

Question

I had got a problem with submitting forms in my PHPbb3 forum, especially, those in administrations panel with large input fields, it is big forum indeed. However, in the php log I noticed an warning:

[21-Apr-2014 07:36:37 Europe/Belgrade] PHP Warning:  Unknown: Input variables exceeded 1000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0

I increased the value to 2500 but the warning is still. However, after setting it to 10000 it gone away and the form submitted correctly.

My question is: Does it has any problems with security or/and the performance of my server to be 10000?

Answer 1

Well certainly there are drawbacks of using thousands of variables in a form post. Performance will drop on both sides, server and client. All values are encoded, copied and decoded several times, so this eats up performance and memory. And what for?

But I'd say that this is not really the point. The thing you should give some thought is this: why the heck does that stuff required thousands of variables in a post? That sounds insane. I suggest you should rethink the architecture behind that. There should be a much easier and more robust solution. A typical approach would be to encode all those variables in a single one, typically some JSON data block.

So far I have seen only one example of an architecture where someone tried to implement a csv file editor as a single html/http based form, posting all fields as separate variables. Believe me, there are better approaches for this.