Download PHP stream / files and max_input_vars

When I download a stream from Java to PHP, I sometimes get a PHP error indicating that the input exceeds the max_input_vars limit.

At first I did not understand why. Let me explain first:

Files are uploaded with a similar approach:

 // get file data from input stream $putdata = fopen("php://input", "r"); $tmp = tmpfile(); filesize = stream_copy_to_stream ($putdata, $tmp); fclose ($putdata); // copy temp stream into destination stream $target = fopen('myfile.dwg', "w"); fseek($tmp, 0, SEEK_SET); stream_copy_to_stream($tmp, $target); fclose($target); fclose ($tmp); 

To get a picture of why PHP would give me such a warning, I took a dump of the data sent:

 file_put_contents ('input_vars.log', print_r ($_REQUEST, true)); file_put_contents ('php_input.log', file_get_contents ('php://input')); 

Here's the fun part: The download file is 1.8 megabytes. Resulting Logs:

• input_vars.log => 5 megabytes, 90,000 lines
• php_input.log => 20 megabytes, 283,000 lines

Now the error message suddenly seems legit. php_input.log just contains bytecode, but input_vars.log formatted as such:

 Array ( [filename] => 0018-101-001_67.dwg [versionId] => 11253 [filetype] => dwg ['á‹Úê-8øFj–sÙ/ghÔ÷JJÐWhvPV] => ... .... ) 

The first three keys are sent via GET, and all the rest will be files. If I search and look for matches => , I get 25 954 matches. Then I assume that REQUEST contains 26,000 keys.

Now, to my question: I assigned the value max_input_vars several times, and now it has a value of 30000 . Should I just ignore this security setting and set it as high as possible? My concern is that PHP removes parts from the REQUEST array if it is more than 30000 , which leads to file corruption.

Are there any security issues when setting this value too high? Perhaps the best way to upload files to PHP?