I have a bit weird question. Why is PHP setting max_input_vars needed?
PHP has a memory limit. So even if somebody sends 10M variables, the request will be terminated because of memory shortage.
What are the risks of setting max_input_vars to 1,000,000?
Thanks
PHP introduced max_input_vars to address a DOS attack by using hash collisions from GET or POST requests.
http://lukasmartinelli.ch/web/2014/11/17/php-dos-attack-revisited.html
A good explanation can be found here: https://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
This PDF is also linked in the article above.
