php Symfony 2 在使用没有类的表单时添加 CSRF 令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16136188/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Symfony 2 Add CSRF Token when using a form without a class
提问by Paul Pounder
Firstly I'm a complete noobie with Symfony 2. The question sounds simple, if I try and put some context into why and how I need this it will start to get confusing.
首先,我是 Symfony 2 的完全新手。这个问题听起来很简单,如果我尝试将一些上下文放在为什么以及如何需要它上,它会开始变得混乱。
In essence I've created a form, which I manually process, validate and insert using Doctrine etc. I am manually creating the form within a controller action (it's built dynamically from retrieved values from another object). I'm assuming there maybe better ways to do this, but as I'm new to Symfony and days of trawling the net, I can't see any solutions to what I need to do.
本质上,我创建了一个表单,我使用 Doctrine 等手动处理、验证和插入表单。我在控制器操作中手动创建表单(它是根据从另一个对象检索的值动态构建的)。我假设可能有更好的方法来做到这一点,但由于我是 Symfony 的新手并且在网上搜索了几天,我看不到我需要做的任何解决方案。
Therefore I'm not simply building a form against a class/entity etc and so I will manually need to add a CSRF token or some kind of protection.
因此,我不是简单地针对类/实体等构建表单,因此我需要手动添加 CSRF 令牌或某种保护。
In normal circumstances you would create the FormType and configure default options to have csrf_protection. Then a simple case of:
在正常情况下,您将创建 FormType 并配置默认选项以具有 csrf_protection。然后是一个简单的案例:
{{ form_widget(form._token) }}
and the csrf token is there.
csrf 令牌就在那里。
As I'm dynamically building the form I am not sure how I can manually create a csrf token for my form. Has anyone had any experience of creating forms without a class and adding csrf protection?
当我动态构建表单时,我不确定如何为我的表单手动创建 csrf 令牌。有没有人有过创建没有类的表单并添加 csrf 保护的经验?
Kind regards Paul Pounder
亲切的问候保罗庞德
采纳答案by dylan oliver
In (my) normal circumstances you create a form and do notspecifically configure CSRF - it happens automatically, and you use form_rest(form)or form_end(form)to render the hidden input with CSRF token. I do not believe that this is any different for a form not backed by a model.
在(我的)正常情况下,您创建一个表单并且不专门配置 CSRF - 它会自动发生,并且您使用form_rest(form)或form_end(form)使用 CSRF 令牌呈现隐藏的输入。我不认为这对于没有模型支持的表单有什么不同。
回答by ?abojad
I think what you are looking for is the following :
我认为您正在寻找的是以下内容:
This will render a CSRF token. Use this function if you want CSRF protection without creating a form
这将呈现 CSRF 令牌。如果您想在不创建表单的情况下进行 CSRF 保护,请使用此功能
{{ csrf_token("intention") }}
For example:
例如:
<a href="{{ path('remove_stuff', {token: csrf_token('intention')}) }}">Remove</a>
To validate this token from a controller, you can do:
要从控制器验证此令牌,您可以执行以下操作:
if ($this->get('token') !== $this->get('security.csrf.token_manager')->getToken('intention')->getValue()) {
throw new \Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException('Invalid CSRF token');
}
To simplify check the token on Symfony 2.6 or newer
为了简化在 Symfony 2.6 或更新版本上检查令牌
if ($this->isCsrfTokenValid('intention', $submittedToken)) {
// ... do something, like deleting an object
}
回答by d3uter
Connection between Form Type and token:
表单类型和令牌之间的连接:
{{ csrf_token("task_item_intention") }}
and in Form Type:
并在表格类型中:
class TaskType extends AbstractType
{
// ...
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'data_class' => 'Acme\TaskBundle\Entity\Task',
'csrf_protection' => true,
'csrf_field_name' => '_token',
// a unique key to help generate the secret token
'intention' => 'task_item_intention',
));
}
// ...
}
