是否可以使用 Symfony 处理普通的旧 HTML 表单,但使用 CSRF 令牌?
[英]Is it possible to handle a plain old HTML form with Symfony, but with CSRF token?
问题描述
I'm in the process of making a Bootstrap 4 styled payment form for my app, wherein radio buttons select the payment method.
我正在为我的应用程序制作 Bootstrap 4 样式的付款表格,其中单选按钮选择付款方式。 In attempting to make my form via Symfony's form classes, I've found them to be too restrictive/clumsy to do what I want.在尝试通过 Symfony 的表单类制作我的表单时,我发现它们过于严格/笨拙而无法做我想做的事。 I DO NOT want to mess around with Symfony form theming (I find it annoyingly verbose), I DO NOT want to use Symfony's pre-made Bootstrap theme, and I DO NOT want to use any createFormBuilder anything.我不想弄乱 Symfony 表单主题(我觉得它很烦人的冗长),我不想使用 Symfony 的预制 Bootstrap 主题,我不想使用任何createFormBuilder任何东西。
So, is there a way for me to make a plain old HTML form, but with Symfony's CSRF token?那么,有没有办法让我制作一个普通的旧 HTML 表单,但使用 Symfony 的 CSRF 令牌? This answer seems promising, but doesn't mention CSRF protection.这个答案看起来很有希望,但没有提到 CSRF 保护。
2 个解决方案
解决方案1
1 已采纳 2019-04-01 07:29:50
According to this documentation How to Implement CSRF Protection , an attempt of solution is to use something like (in symfony 3.4 and 4) :根据这个文档如何实现 CSRF 保护,解决方案的尝试是使用类似的东西(在 symfony 3.4 和 4 中):
- in your controller, you can have something like :在你的控制器中,你可以有类似的东西:
/**
* @Route("/names", methods={"POST"}, name="app_post_names")
*/
public function postName(Request $request)
{
$name = $request->request->get('name');
$csrfToken = $request->request->get('_csrf_token');
if(!$this->isCsrfTokenValid('token_id', $csrfToken)) {
// ... throw bad request
}
// ... Do other thing
}
- Now in your template you can have something like (with your own design) :现在在你的模板中,你可以有类似的东西(用你自己的设计):
<form action="{{ path('app_post_names') }}" method="post">
Name : <input name="name" type="text" />
<input name="_csrf_token" value="{{ csrf_token('token_id') }}" type="hidden" />
<input type="submit" value="send" />
</form>
解决方案2
0 2019-03-30 01:50:44
Don't use Symfony at all, and generate your own token?根本不使用Symfony,并生成自己的令牌?
You don't really need to use Symfony form theming when making a form.在制作表单时,您实际上并不需要使用 Symfony 表单主题。 Myself, I always build my own form tags.我自己总是建立自己的表单标签。
- You want to customise your select?您想自定义您的选择吗? Can be done too也可以做到
- You want to use fields which aren't in an entity, can be done as well...您想使用不在实体中的字段,也可以这样做...
Symfony forms aren't as restrictive as you think. Symfony 形式并不像你想象的那么严格。
You most likely don't have the "know how" about this matter.您很可能不了解这件事。
Controller控制器
public function customFormAction(Request $request) {
$form=$this->createFormBuilder()
->setAction($this->generateUrl('route_name'))
->setMethod('POST')
->add("customField", ChoiceType::class, array(
'choices'=>array(
'1'=>'Choice 1',
'2'=>'Choice 2',
'3'=>'Choice 2',
),
'required'=>true,
'mapped'=>false, //Isn't mapped to any entity
))
->getForm();
$form->handleRequest($request);
if($form->isSubmitted() && $form->isValid()) {
$customField=$form->get('customField')->getData();
//do your stuff
}
return $this->render('route_name', array(
'form'=>$form->createView(),
));
}
Twig view树枝视图
<form action="{{ form.vars.action }}" method="{{ form.vars.method }}">
<div class="input-field">
<select id="{{ form.customField.vars.id }}" name="{{ form.customField.vars.full_name }}" class="my_classes">
{% for option in form.customField.vars.choices %}
<option data-attr="my_attributes" value="{{ option.value }}">{{ option.label }}</option>
{% endfor %}
</select>
</div>
<input name="{{ form._token.vars.full_name }}" value="{{ form._token.vars.value }}" type="hidden">
</form>
With this, I'm barely using any twig templating, I still have a CSRF token and Symfony barely handle the form (it will only check CSRF token)有了这个,我几乎没有使用任何树枝模板,我仍然有一个 CSRF 令牌,而 Symfony 几乎没有处理表单(它只会检查 CSRF 令牌)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.