I’m always a worry-wart about security in my PHP applications, and I just (potentially) thought of a way a hacker could kill my script. Currently my application takes form data and submits it as an array to a PHP script via AJAX, then loops through this array.
foreach($_POST['form_data'] as $field => $value){
//Do something here.
}
However, what if a hacker were to forge an AJAX request, and repeatedly submit the ‘form_data’ array with 100000000000 random elements? The loop would have to iterate through each element, possibly causing a DoS (or at least slow down service), correct?
I’m not entirely educated here, so I may have some incorrect assumptions. Thanks for any input!
This will not be an issue: PHP limits the maximum number of POST vars using the
max_input_varsdirective, which defaults to 1000 variables.This limit is actually enforced to prevent a much more serious type of DOS attack than the one you are thinking about (really, iterating a few thousand array elements is like nothing), namely hash table collision based attacks (often referred to as HashDOS). For more info on that issue see my article Supercolliding a PHP array.