How can we improve WHMCS?

Share, discuss and vote for what you would like to see added to WHMCS

Do not use Post form data on pages that could have large amount of data



While configuring "Domain Pricing" We noticed that all of the domain data + pricing is submitted as Post Form Data when you click on "Save Changes".

With about ~30 domains + 10 types of pricing each we were able to hit `max_input_vars` default limit of PHP, which is 1000. This prevents you from saving any changes you have made on the page.

At the moment the fix for this is to increase the `max_input_vars` value, which by itself can open a way for Denial of Service attacks (as per official php docs (here)[https://www.php.net/manual/en/info.configuration.php#ini.max-input-vars].) To prevent that you'd also need to apply a whole other set of configuration to limit `max_input_vars` to certain pages, which depending on the environment setup, would be hard to do or would require a lot of hack fixes.

Ideally, the `Domain Pricing` page and other similar pages would pass this data via body content (JSON, or any other format), so that changes to php.ini would not be required.

Post the first comment

Login to post a comment.