This occurred on Windows 2000 server running IIS 5.0 and PHP 4.3.8.  The problem did not occur when handled by Apache, even on another Windows server.

Note: I realize passing this much data is best accomplished using the POST method, which would avoid this problem all together. I'm merely detailing a problem that I came across.

I have created a page that includes the (very long) query string that was used and some of the results that I saw while testing. It can be viewed at http://www.csb7.com/test/php_iis_qs_limit/. I didn't want to include it here as it would stretch the page out significantly.

~Chris Bloom
mfyahya at gmail dot com
07-Jun-2005 09:33
If you use Apache's redirection features for custom error pages or whatever, the following Apache's REDIRECT variables are also available in $_SERVER:
$_SERVER['REDIRECT_UNIQUE_ID]'
$_SERVER['REDIRECT_SCRIPT_URL]'
$_SERVER['REDIRECT_SCRIPT_URI]'
$_SERVER['REDIRECT_SITE_ROOT]'
$_SERVER['REDIRECT_SITE_HTMLROOT]'
$_SERVER['REDIRECT_SITE_CGIROOT]'
$_SERVER['REDIRECT_STATUS]'
$_SERVER['REDIRECT_QUERY_STRING]'
$_SERVER['REDIRECT_URL]'

I'm not sure if this is a complete list though
mp at wds-tech dot de
02-Jun-2005 03:12
Also aviable is the $_SERVER['SERVER_ADDR'] which returns the current IP of the server the script is running on.
webKami (et) AKDomains.com
24-May-2005 02:47
PHP Secure Class to prevent XSS Attacks

Although this is not bullet proof but it would give you an idea on how to filter incoming data.

Copyleft : LGPL
Idea by: phpsec GROUP @ PHP|arch

Coded By: webKami

For those who are new to PHP and just heard of XSS attacks, this is the basic rule.

"NEVER EVER TRUST EXTERNAL DATA"

For this purpose I have coded a class that can be used to filter all external data, from POST, GET, COOKIE and even your own arrays.

An example is that if you need only integers from a certain parameter just request for integer
e.g. getVarInt("id")

You can even tell it to give you a default value if param is not set, so that your page would not FAIL in case of a NULL value
e.g. getVarInt("id",1)

You can also fetch data from a param array, like a set of colors
e.g. getVarInt("colors",0,0)
e.g. getVarInt("colors",0,1)

Get these variables in a loop limited by the count of that array's elements
e.g. getVarCount("colors")

The complete code of class and its usage can be found here

http://www.webkami.com/programming/php/php-secure-class-to-avoid-xss