[Vtigercrm-developers] Profiles & max_input_vars

Adam Heinz amh at metricwise.net
Thu Jul 19 08:22:45 PDT 2012


I hit the max_input_vars problem when migrating a server between Linux
distros, but on a custom module of ours.  I ended up rebuilding our
form to suppress unnecessary post variables.  It sounds like we're
going to need to do something similar here.  Maybe hit the page with
some AJAX and save the changes as they're made?  Or save them on a
per-module basis?

On Thu, Jul 19, 2012 at 4:52 AM, Alan Lord (News) <alanslists at gmail.com> wrote:
> Hi Chaps,
>
> I was seeing something rather strange on my dev server... Whenever I
> edited a profile and saved it, everything below a certain point didn't
> get saved - it all ended up unset below the line:
>
> http://twitpic.com/a999s8/full
>
> I came across this post in a thread which sounded like it made sense:
>
> https://forums.vtiger.com/viewtopic.php?p=75968&sid=ca94fac867d4ee6a6767d09ee2bf5d6c#p75968
>
> So I added a suhosin.ini in my /etc/php5/conf.d and added the following
> lines:
>
> ; Override some of the defaults
> suhosin.get.max_vars 500
> suhosin.post.max_vars 500
>
> I restarted apache but it still happened.
>
> In the apache error log was the cluebat I was looking for :-)
>
> [Thu Jul 19 09:24:53 2012] [error] [client ....] PHP Warning:  Unknown:
> Input variables exceeded 1000. To increase the limit change
> max_input_vars in php.ini. in Unknown on line 0, referer: http://...
>
> So I set max_input_vars to 1500 and it worked!
>
> The suhosin settings mentioned above had no noticeable effect so I
> removed them.
>
> The server in question is Ubuntu 12.04 64bit and according to phpinfo();
> it does have the Suhosin patch.
>
> This max_input_vars information probably needs to be mentioned somewhere
> like the Wiki I guess.
>
> According to this post, it seems to be a fairly recent addition to php:
>
> http://www.nivas.hr/blog/2012/04/04/beware-of-max_input_vars-php-ini-configuration-option/
>
> I don't like applying this globally to Apache as it is designed to help
> stop attacks so perhaps this parameter should be set in vtiger's
> .htaccess or even loaded just when editing profiles?
>
>
> Cheers
>
> Al
>
> --
> Libertus Solutions
> http://www.libertus.co.uk
>
> _______________________________________________
> http://www.vtiger.com/


More information about the vtigercrm-developers mailing list