Home > > PHP, Suhosin and POST data

PHP, Suhosin and POST data

January 9th, 2012

Last week one of my clients reported an issue showing some notices spilled by the application on their development and QA servers. After some regular debugging process, we noticed that the application is not receiving the complete POST data.

Solution was simple, open php.ini, check and increase the value for post_max_size. BANG!!! No change (ofcourse apache was restarted after change in ini). Some more time was spent debugging various things. Even the stupidest thing like whether browser is sending full data to server was also checked. But nothing helped. We again started scanning phpinfo for some help when suddenly we noticed that the servers were having Suhosin patch installed and active (suhosin.ini was a part of additional .ini files).

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core.


We started scanning phpinfo for Suhosin specific settings … EUREKA … we found the following –

suhosin.request.max_vars = 200
suhosin.post.max_vars = 200


Suhosin controls the number of variables that can be passed to a PHP script no matter what you set for post size in php.ini. The default value of this setting is 200 which means your PHP script will only see the first 200 values in $_POST array. All other data is silently truncated. We got this value increased to the one we needed for our script and everything was back to normal.

I spent quite a long time in finding and solving this issue and thus decided to quickly blog about this. Hope this tip will help someone save their quality time.

P.S.: Suhosin has lot of other configurations that may affect your scripts in some way. So, if you get into such a situation where everything looks normal in php.ini, look for Suhosin and its settings. You may find the solution to your problem just like I did.

Tags: , ,