Why is max_input_vars ignored?

I have max_input_vars set to 10000 in .htaccess. ini_get('max_input_vars') correctly returns 10000 and phpinfo correctly shows the local value of max_input_vars to be 10,000 (with a master value of 1,000) and yet a sample script on a GoDaddy shared server with anything more than 1,000 <input type="hidden" name="input[]" value="n"> fields only populates $_POST['input'] with 1,001 elements, whereas when run on my local machine it works correctly. Both are running PHP 7.2 and both have post_max_size 100M.

Is there some server setting that means the local value of max_input_vars is ignored?

The script I’m using to test this is below. You enter the number of hidden input fields to create, click the “Create inputs” button, and then submit.

<pre>ini_get('max_input_vars'): <?php echo ini_get('max_input_vars'); ?></pre>
<form method="post">
  <div id="inputs"></div>
  <label for="number">Input vars:</label>
  <input id="number" type="number" min="0" max="2000" maxlength="4" step="1" value="">
  <button type="button" onclick="createInputs()">Create inputs</button>
  <pre>document.getElementsByClassName('input').length: <span id="count">0</span></pre>
  <button type="submit">Submit</button>
</form>
<pre>$_POST: <?php print_r($_POST); ?></pre>
<script>
function createInputs()
{

  var inputs = document.getElementById('inputs')

  inputs.innerHTML = ''

  var input
  
  for (var i = 1, n = document.getElementById('number').value; i <= n; ++i)
  {

    input = document.createElement('input')

    input.setAttribute('type', 'hidden')
    input.setAttribute('class', 'input')
    input.setAttribute('name', 'input[]')
    input.setAttribute('value', i)
    
    inputs.appendChild(input)

  }

  document.getElementById('count').innerText = document.getElementsByClassName('input').length

}
</script>

<pre>ini_get('max_input_vars'): <?php echo ini_get('max_input_vars'); ?></pre>

<form method="post">

  <div id="inputs"></div>

  <label for="number">Input vars:</label>

  <input id="number" type="number" min="0" max="2000" maxlength="4" step="1" value="">

  <button type="button" onclick="createInputs()">Create inputs</button>

  <pre>document.getElementsByClassName('input').length: <span id="count">0</span></pre>

  <button type="submit">Submit</button>

</form>

<pre>$_POST: <?php print_r($_POST); ?></pre>

<script>

function createInputs()

{

​

  var inputs = document.getElementById('inputs')

​

  inputs.innerHTML = ''

​

  var input

  for (var i = 1, n = document.getElementById('number').value; i <= n; ++i)

  {

​

    input = document.createElement('input')

​

    input.setAttribute('type', 'hidden')

    input.setAttribute('class', 'input')

    input.setAttribute('name', 'input[]')

    input.setAttribute('value', i)

    inputs.appendChild(input)

​

  }

​

  document.getElementById('count').innerText = document.getElementsByClassName('input').length

​

}

</script>

​

Before submitting form (on both local machine and remote server):

After submitting form on local machine:

After submitting form on remote server:

Answer

After some testing I was able to get it working by setting max_input_vars=10000 in a .user.ini file in the document root. I suspect that cPanel was filtering the input before the rule in .htaccess was applied.