A bit of background on
The max_input_vars setting is a numeric rule to govern how many variables you can submit during a POST event. Generally, this rule would be applied when data via form or API is submitted to the back end server running PHP.
Although having a default setting of one thousand (1000), there will always be cases that require this rule to be lifted or similarly reduced.
Why would this value be reduced?
Let’s say you have built an application that will only ever take a username, email and password parameter. You could reduce the max_input_vars to restrict unwanted variables submitted to the server, consequently enhancing security.
Why would this value be increased?
Although it sounds crazy needing more 1000 variables allowable in a post-action, this isn’t uncommon, especially for an API. Let’s imagine if your server hosted an employee payment system. It would need to know how much to pay people, so in turn, it accepts a post of data from a Timekeeping system that has all of the days and hours worked by each employee. In a big company, this data can quickly exceed the 1000 variable limit, so, therefore, it would need to be increased.
A quick pointer – Since version 5.3.9, the
max_input_vars configuration has a mode of
PHP_INI_PERDIR which means it can only be altered within the php.ini, .htaccess, httpd.conf or .user.ini files. It cannot be set in line with
ini_set() like a lot of other settings can be. So, if you have been trying to alter it with
ini_set(), this is why you aren’t seeing any results.
Set max_input_vars in php.ini
To adjust the max_input_vars setting, you can set the value within the php.ini which would apply the rule religiously every time the server is booted.
- Find your php.ini folder located in your php/ build directory. If you are using XAMPP this would be xampp/php/php.ini.
- For quickness, press CTRL+F or equivalent to open a search box, type max_input_vars and hit enter, this will find the setting within the .ini file.
- You will now see the line as follows
; max_input_vars = 1000– Take notice of the semicolon at the beginning of the line
- Remove the semicolon and adjust the 1000 value to suit. Important: if you do not remove the semicolon, the default of 1000 will stay applied.
- Save the .ini file and restart apache. Again, if you do not save and restart apache, the rule will not be applied until the next time you restart your server.
Set max_input_vars in .htaccess file
Using the .htaccess method is somewhat easier and especially more flexible especially in shared hosting environments. Follow the steps below to set this rule in your .htaccess file.
- Find your projects .htaccess file
- Open it, and add the following line
php_value max_input_vars 1234. Of course, change the 1234 value to suit your requirements.
- Save the file and all is done. No restart is required!
Set max_input_vars in httpd.conf file
Another method of altering this configuration is by defining the value within the Apache httpd.conf file. For example, if you are running your project on XAMPP, this file is located under xampp/apache/conf. This will change depending on your setup, see the following steps –
- Locate your httpd.conf file within the apache folder usually under /conf subdirectory.
- Open and go to the end of the file, add the code below, changing mod_php7.c to your version of PHP, eg mod_php5.c for PHP 5, etc. And secondly, changing the value of 1234 to your desired maximum limit.
- Save the file.
- Restart Apache and the configuration will be applied.
php_value max_input_vars 1234
Check out other runtime configurations on the docs here.
In this article, you see 3 different methods of altering the max_input_vars PHP setting, each use case will be useful depending on your environment. If it’s a local build, you will generally have access to the php.ini file. If it’s shared hosting, you will usually have access to .htaccess. Hopefully one of these methods helps you adjust the setting.
One last note: PHP will simply not process any variables that are over the max input variable limit, they will just not appear. This is something that can catch people out, thinking there are other problems at hand.