Request Size Limits

Request size limits decide how much data PHP and the web server will accept before application code runs. Large forms, JSON bodies, file uploads, and huge sets of fields can fail at this layer before a controller sees normal input.

The important skill is knowing which limit applies, where it is configured, and how the failure looks.

PHP limits

<?php

declare(strict_types=1);

$limits = [
    'post_max_size' => ini_get('post_max_size'),
    'upload_max_filesize' => ini_get('upload_max_filesize'),
    'max_input_vars' => ini_get('max_input_vars'),
];

foreach ($limits as $name => $value) {
    echo "{$name}: {$value}" . PHP_EOL;
}

// Prints:
// post_max_size: 8M
// upload_max_filesize: 2M
// max_input_vars: 1000

post_max_size limits the whole request body. upload_max_filesize limits one uploaded file. max_input_vars limits how many input variables PHP parses from form data.

If post_max_size is exceeded, $_POST and $_FILES may be empty. That can look like the user submitted nothing, even though PHP rejected the body before parsing it.

Web server limits

The web server or proxy can reject large requests before PHP sees them. Examples include Nginx client_max_body_size, Apache request limits, CDN upload limits, and load balancer limits.

When a request is too large, the user may see 413 Payload Too Large. If PHP never receives the request, changing PHP validation code will not fix it.

Application limits

Runtime limits are not product rules. A profile photo feature may allow only 2M images even if PHP can accept 20M uploads.

<?php

declare(strict_types=1);

function isAllowedBodySize(int $contentLength, int $maxBytes): bool
{
    return $contentLength <= $maxBytes;
}

echo isAllowedBodySize(512000, 1048576) ? 'allowed' : 'too large';
echo PHP_EOL;
echo isAllowedBodySize(2097152, 1048576) ? 'allowed' : 'too large';
echo PHP_EOL;

// Prints:
// allowed
// too large

Use application rules for business decisions, and use server/PHP limits to protect the runtime.

Read Size Settings Carefully

PHP configuration values such as 8M are strings, not byte counts. If application code compares limits, convert them deliberately instead of casting directly to int, which would turn 8M into 8.

Also remember the relationship between upload limits:

one uploaded file <= upload_max_filesize
whole request body <= post_max_size
web server or proxy limit may reject the request before PHP
application rule may be lower than all of the above

A form with several files can pass the per-file limit and still exceed the whole-request limit.

Fail Clearly For Users

Infrastructure limits should be configured high enough that the application can usually return a useful validation message for product-level rules.

For example, if the product allows a 5M image but the proxy rejects everything above 1M, the application never gets a chance to explain the real rule. Keep the limits aligned and test a request near each boundary.

For upload-specific failures, inspect $_FILES['field']['error'] as well. PHP reports cases such as partial uploads and per-file limit failures there.

What you should be able to do

After this lesson, you should be able to inspect PHP request limits, interpret their relationship, explain why large requests may never reach controller validation, recognise a 413 response, inspect upload errors, and separate infrastructure limits from business validation.