SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Zealot
    Join Date
    Nov 2011
    Posts
    181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Gigantic values in forms - a problem?

    I check most of the data that enters via a form to make sure it is not longer than anticipated, say, more than a 1000 characters like this

    if (strlen($variable) > 1000)
    {
    echo "entry is too big";
    exit ();
    }

    But I am wondering if there is any danger that PHP might be overloaded (or some other security risk might be present) because of someone submitting excessively long form entries (in the megabyte range). Even if I check for long submits, PHP must still parse the entry, meaning it will bog down the interpreter. (Perhaps there is a way for PHP to just ignore values over a certain size?)

    [Sorry, I posted this in the wrong section. I can't seem to find a way to delete my post or move it to web security.]
    Last edited by ShinVe; Nov 28, 2011 at 03:48. Reason: wrong section

  2. #2
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ShinVe View Post
    I can't seem to find a way to delete my post or move it to web security.]
    We have 30 mins grace after a post to edit or delete it. We can't move it afaik. You can flag your post and ask a mod to move it for you.

    To delete a post, click the edit post button. Then click the 'Go Advanced' edit button. Above the advanced editor box there is a check box and delete button to delete that post. But bear in mind, posts are not actually deleted afaik. They are only hidden from display and so if you did something naughty in a post , the mods can still see it

    To answer your original question - if you send your form data as a GET, I think the max number of total characters in the query string is something like 1-2k chars. But don't hold me to that. Google should be able to give the exact number.

    If you send the form data as a POST then php should pretty well handle whatever you throw at it in "normal" situations and your main issues might be not enough access to the server's RAM and other resources in situations where you want to calculate and map the trajectory of a rocket to Alpha Centauri .

    1000 chars in a string is normally no problem at all for php.

  3. #3
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,189
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    You should never let a user to be able to exceed the string limit when they are filling in the form as it allows them to think they can type forever, instead you should think about using JavaScript to count the number of characters in real time then issue a warning when they are close or about to exceed the limit of the form field. The issue of the server handing the data however shouldn't be a problem as modern day servers are designed to handle large chunks of code without using too much resource, on a shared host Quad Cores are typically used so more or less if the form data is 4-5 MB/s the server should have no problem parsing the data.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •