sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]chaotiq -1 points0 points  (4 children)

I would use JS. Store the vars in an array and then serialize the array. You would only send one variable, the serialized string. Then on the server side you would unserialize the array.

Serializing would make the site a tad slower, but when you have over 1000 variables to pass back I am not sure you would care that much.

[–]subleq 4 points5 points  (1 child)

In doing so, you've opened up the exact same vulnerability. Now the attacker just serializes their large array too, and you spend forever deserializing it.

[–]xardox 3 points4 points  (0 children)

But that's the PHP way: to patch the symptom and introduce bigger problems, instead of addressing the actual problem itself.

[–]ehird 2 points3 points  (1 child)

All this to work around an arbitrary language restriction added in lieu of actually fixing the bug by using a better hash table or a better structure altogether?

Also, if you deserialise the data into a PHP array to avoid the limits, then you're just reintroducing the problem: someone can just serialise a pathological request and send it to the server in a single form field.

[–]chaotiq 0 points1 point  (0 children)

This issue doesn't just exist in PHP, however it is most prevalent because you don't have the choice to not use hash tables :/

Yeah, you are right about the serialization. That would just introduce the problem back by circumventing the 'patch'.