Using PHP to Limit the length of text that can be sent to server

Question

I know how to do this on a user form using HTML. However, malicious users can by pass that form to call the server action page and send abnormally large sized text.

Is there anyway to deny such requests from the server. Perhaps, there is a mechanism by which we can realize in advance the size of POST data that is arriving before it actually arrives, similar to upload of huge files.

Answer 1

Edit the php.ini file and set the max post size to the number in megabytes you want to allow. Keep in mind you need it high enough for long blog posts and what not.

post_max_size = 4M

Other settings you should check are

; Maximum execution time of each script, in seconds
; http://php.net/max-execution-time
; Note: This directive is hardcoded to 0 for the CLI SAPI
max_execution_time = 30

; Maximum amount of time each script may spend parsing request data. It's a good
; idea to limit this time on productions servers in order to eliminate unexpectedly
; long running scripts.
; Note: This directive is hardcoded to -1 for the CLI SAPI
; Default Value: -1 (Unlimited)
; Development Value: 60 (60 seconds)
; Production Value: 60 (60 seconds)
; http://php.net/max-input-time
max_input_time = 60

; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 30MB

If you are using Apache or Nginx you can also set the max request size in the server config so they can block the request before it even reaches php.

Answer 2

You can use Suhosin. It's a protection system for PHP. And among the settings, you can forbid requests over a certain length.

Answer 3

By the time PHP processes the POST data, it's a little late. This is better accomplished at the web server level. If you're using Apache, check out the LimitRequestBody directive.