What does max_input_vars in php.ini actually affect and what is a safe high value?

Question

I know that the php.ini value for max_input_vars is defaulted to 1000 (I'm using version 5.6). My POST data was getting truncated, so I needed to increase the value. And this did solve my issue. When changing these values, I'd just like to understand what it's actually affecting specifically though.

If I'm sending an array of data to my backend, would this mean that it can only contain around 1000 elements? It didn't seem like the sum of my forms came out to 1000 input fields, so I'm trying to figure out what this number is for.

And what is a safe high number that I can go to? Would 10000 be considered too high?

Answer 1

Basically this is what we like to call a "sanity check". It limits requests to a reasonable level to prevent things like denial-of-service attacks.

From the manual

How many input variables may be accepted (limit is applied to $_GET, $_POST and $_COOKIE superglobal separately). Use of this directive mitigates the possibility of denial of service attacks which use hash collisions. If there are more input variables than specified by this directive, an E_WARNING is issued, and further input variables are truncated from the request.

In short, raise it to whatever you need it to be and just remember this makes you more vulnerable to attacks that could bog the server down. There's no "safe" number, per se. Just don't overload your server or your PHP requests might start timing out or running out of memory.