Problem: settings cannot be saved.
Problem:
I install the software, configure it, then go to the form setup window, enter settings such as the “from” email address, configure some extra fields, etc. Then click “Update Options” and the browser window appears to refresh and load the form again, but none of the settings I just entered show up on the form (or just some are not showing as changed). This can happen to the WordPress and the PHP version.
Explanation:
This can happen on some servers because the admin form edit page has over 200 fields on it. Some servers use a PHP Suhosin patch/extension that imposes limitations on POST vars, which can prevent certain forms from working properly. When the Suhosin number of fields limits are exceeded, Suhosin’s default behavior is to log its errors to syslog, not the Apache error log. Suhosin does not even show any errors on the screen to indicate what just happened.
How to check if your server has Suhosin:
Put this PHP code in a test.php file and use and FTP program like FileZilla to upload it to your server.
<?php phpinfo(); ?>
Next, view the page in on your web site URL. This page will show PHP information with details about the PHP server configurations. After the page is loaded use your web browser to find on the page the word: “Suhosin”. If it finds the Suhosin word, your server does have it. Be sure to remove the test.php page when you are done because leaving this information online can be a low level security risk.
What can be done to fix it?
1. You can try to enable suhosin.simulation for the account (domain) instead of disabling Suhosin server wide. The suhosin.simulation if turned ON, will log the violations as usual but nothing will be blocked or removed from the request. You can perform this task in one of the either ways:
a) Enable suhosin.simulation in a .htaccess file of the domain (non-suphp enabled server)
php_flag suhosin.simulation On
OR
b) Create a php.ini file under the account (domain) and turn ON the simulation
suhosin.simulation = On
There is no need to restart any service in any of the above case. As not all servers are setup equally, be prepared to undo these changes if they do not work.
2. Ask your web host to examine the server logs, maybe they can point out the exact suhosin directive violations that are occurring. Suhosin has a few different installation methods and about 100 different settings. Examining the log files will reveal just what setting (s) need to be adjusted. Here is a sample from a log file found in /var/log/messages:
Jul 20 14:17:23 centos4 suhosin[29460]: ALERT – configured POST variable limit exceeded – dropped variable ‘si_contact_text_message_sent’ (attacker ’192.168.1.10′, file ‘/var/www/html/mosaic/htdocs/blog-test/wp-admin/plugins.php’)
You could adjust the Suhosin max_vars settings usually found in php.ini:
Default is 200, so adjust the following values to a higher number, such as 1000:
suhosin.post.max_vars = 1000
suhosin.request.max_vars = 1000
This setting is normally used to limit an attacker from flooding your server with thousands of post variables in an attempt to overtake it or bring it down. 1000 is still a rather small amount that will not cause any decrease in security. It is common for security programs to periodically need settings/ajustments, that is why the setting is there. These settings are available in the php.ini or the suhosin.ini. There may be other settings involved, so contact the server administrator if you need help.
3. You could disable Suhosin server wide:
Unless you are the server administrator, disabling this is probably not permitted, so I am not going to try to explain how. If you have not has success with the other options above, perhaps you can ask your web host if they can white list your WordPress wp-admin/plugins.php page.
4. In a future version I want to divide the admin settings form into a few smaller tabbed sections. Doing so will require lots of code change and I am already examining it, but I have no estimate of when this could be complete, sorry.
If you have any information that could be useful to me, please contact Support
Do you need help?Donations by PayPal:
Donations by cash or check:
Mike Challis
PO Box 819
Long Beach WA 98631
