Gigantic values in forms - a problem?

I check most of the data that enters via a form to make sure it is not longer than anticipated, say, more than a 1000 characters like this

if (strlen($variable) > 1000)
echo “entry is too big”;
exit ();

But I am wondering if there is any danger that PHP might be overloaded (or some other security risk might be present) because of someone submitting excessively long form entries (in the megabyte range). Even if I check for long submits, PHP must still parse the entry, meaning it will bog down the interpreter. (Perhaps there is a way for PHP to just ignore values over a certain size?)

[Sorry, I posted this in the wrong section. I can’t seem to find a way to delete my post or move it to web security.]

We have 30 mins grace after a post to edit or delete it. We can’t move it afaik. You can flag your post and ask a mod to move it for you.

To delete a post, click the edit post button. Then click the ‘Go Advanced’ edit button. Above the advanced editor box there is a check box and delete button to delete that post. But bear in mind, posts are not actually deleted afaik. They are only hidden from display and so if you did something naughty in a post :lol:, the mods can still see it :slight_smile:

To answer your original question - if you send your form data as a GET, I think the max number of total characters in the query string is something like 1-2k chars. But don’t hold me to that. Google should be able to give the exact number.

If you send the form data as a POST then php should pretty well handle whatever you throw at it in “normal” situations and your main issues might be not enough access to the server’s RAM and other resources in situations where you want to calculate and map the trajectory of a rocket to Alpha Centauri :).

1000 chars in a string is normally no problem at all for php.

You should never let a user to be able to exceed the string limit when they are filling in the form as it allows them to think they can type forever, instead you should think about using JavaScript to count the number of characters in real time then issue a warning when they are close or about to exceed the limit of the form field. The issue of the server handing the data however shouldn’t be a problem as modern day servers are designed to handle large chunks of code without using too much resource, on a shared host Quad Cores are typically used so more or less if the form data is 4-5 MB/s the server should have no problem parsing the data.