In Laravel 5, I notice that whenever I have a form in which I wrote in plain HTML, instead of using the Form::open, it is required to have a hidden input field for the token.
<input type="hidden" name="_token" value="<?php echo csrf_token(); ?>" />
And for a form that updates a record, it is required to have <input name="_method" type="hidden" value="PATCH">
Is it correct that I should always have these fields when writing forms using plain HTML? Is there other ways of doing this if I were still to write it in plain HTML?
Yes that's correct. For PATCH (and basically all non GET or POST verbs) there's no other way than using the _method.
This is described in the route chapter of the documentation: Method Spoofing
However you could disable CSRF protection. I'm not saying you should do that but if you wanted to, you can disable it by removing Illuminate\Foundation\Http\Middleware\VerifyCsrfToken from the middleware array in app/Http/Kernel.php
This is in the documentation as well: CSRF Protection
Related
I have a simple HTML post with a php variable included as the value, I wish to use this in my codeigniter project what is the best way to do this.
Here is my correct code (I do have the form helper)
<form action="https://www.mysite.co.uk/1/" method="POST">
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>;
<input class="btn btn-primary" type="submit" role="button" id=""></input>
</form>
I may have misunderstood your question with my first answer.
If all you want is a post button, then you can write this
<input type="submit" class="btn btn-primary" role="button" value="Send" />
Or use the form helper
<?php echo form_submit('BtnName', 'Send'); ?>
// Would produce:<input type="submit" name="BtnName" value="Send" />
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_submit
You can do what you are doing:
<input id="start-test" type="hidden" name="userid" value="<?php echo htmlspecialchars($userID); ?>">
Or use set_value like this:
<input id="start-test" type="hidden" name="userid" value="<?php echo set_value('userid', $userID); ?>">
This will repopulate the field value on form error. I have missed off the HTML special chars but you can include that still if you feel like you need to, but I presume this is an id from a database, that is set with auto increment and as it is not user generated data the use of html special chars here might be a bit unnecessary.
In your controller you can access the post variables like this:
$posted_id = $this->input->post('userid');
However, you should be using form validation on posted data. This is quite a big topic but you can read about the above in the docs. Also referring to your User ID directly is not always a great solution since this form can be easily manipulated. You can help to alleviate that somewhat with CI CSRF protection and using form_open but it is often best to use sessions and get the ID from there. You should not ever have to include a user id in a hidden form variable.
Set Value
http://www.codeigniter.com/user_guide/libraries/form_validation.html#re-populating-the-form
Reading post variables
http://www.codeigniter.com/user_guide/libraries/input.html#accessing-form-data
Form Validation in general
http://www.codeigniter.com/user_guide/libraries/form_validation.html#form-validation
Form open and CSRF
http://www.codeigniter.com/user_guide/helpers/form_helper.html#form_open
CI Sessions
http://www.codeigniter.com/user_guide/libraries/sessions.html#session-library
If you are not familiar with security practices it is sometimes best to get to know and use a mature and developed authorization and authentication library. There are many so I will not recommend one here. Just do a search for one and find one that suits your needs.
As I am new to laravel framework, I have a query, I am using <form> tag in blade template so that I can delete the data from table.
I am using this the below code of form tag to delete the data
<form action="{{ route('admin.states.update',$data->state_id) }}" id="form_sample_2" class="form-horizontal" novalidate="novalidate" method="PUT">
Here I have used method as PUT, but browser is automatically considering it as GET request, I found some questions on stackoverflow where many of them said PUT & DELETE is not detected by browser.
So using Laravel Facade Form , this problem is solved
{!! Form::open(array('route'=>['admin.states.update',$data->state_id],'role'=>'form','method'=>'PUT')) !!}
The above code work as intended but my query is I don't want to use Formfacade in Laravel , I want to use first type of HTML code for form opening.
Is there any other method by which I can use PUT method in HTML Form Tag without using any Form FAcade in Laravel.
set form method to post and add a hidden input as following
<input type="hidden" name="_method" value="put">
and also make sure to add
<input type="hidden" name="_token" value="{{ csrf_token() }}">
If your ValidateCSRF middleware is enabled.
What's the Problem?
Primary Key is present in Url so the data for other records can be seen easily by easily changing the Url.
Rendered html has hidden field present. Anybody can easily change other records based upon this Hidden Field.
When I edit the page. My Url looks like below.
http://localhost/Category/3
and Below is the rendered Html
<form method="POST" action="http://localhost/UpdateCategory" accept-charset="UTF-8">
<input name="_token" type="hidden" value="AmAXKmqtct6VOFbAVJhKLswEtds4VwHWjgu3w5Q8">
<input name="CategoryID" type="hidden" value="3">
<input required="required" name="Category" type="text">
<input class="btn btn-success" type="submit" value="Update">
</form>
Please suggest some Url and Form security in Laravel 5.1
There are many worksaround which shall by handled by us to avoid such incidents.
Fix 1 :
If you don't want to reach the user's by just changing the url
(i.e., Directly passing the id in url )
You shall filter the requests by
if($_SERVER['HTTP_REFERER']!='')
{
}
else
{
exit;
}
You shall have this in your Middleware or even in your view if you wish
Fix 2 : Never worry about the _token that is visible when you see form source
It is just the token that is generated by laravel app which is to identify whether the request is from authenticated source or not.
If you edit the token and pass the form you will surely get CSRF Token Mismatch Exception
Infact this is one of the great feature of Laravel.
Interesting Point : You can also find something in the headers of the browser ;)
Happy using Laravel ;)
I'm having problem with CSRF Validation in yii2. The validation works fine with the default form generated by the gii but when I edit the form with html tags then the form submission throws a bad request error. I have disabled csrf validation to hide the error but I want to use this for the security of the application and data validation.
Is there any way of solving this error or is there a way of configuring it to work correctly in this scenario?
I guess, your html form doesn't have hidden _csrf field, which is automatically generated by standard Yii2 widgets.
So the minimum code of your custom form might be like this:
<form method="post">
<input type="hidden" name="<?= Yii::$app->request->csrfParam; ?>" value="<?= Yii::$app->request->csrfToken; ?>" />
<button type="submit"> Save </button>
</form>
Try this
<?=yii\helpers\Html::hiddenInput(Yii::$app->request->csrfParam, Yii::$app->request->csrfToken)?>
I am currently learning Laravel and finding it really useful and interesting.
At the moment I am making a simple online application form.
What are the biggest advantages to doing things using the Laravel syntax like:
{{ Form::open(array('url' => 'foo/bar')) }}
As opposed to simply:
<form action="foo/bar">
Or:
echo Form::text('username');
Instead of:
<input type="text" name="username" />
The Laravel way must be better, I just wish to know why exactly?
Using built-in HTML helpers have many benefits:
Using Form::open you add CSRF protection input hidden (by default)
Using form elements (inputs/textarea etc.) and withInput method for Redirection allows you to easily fill in the form with the same data with almost no coding
If you use Redirect::route('form'->withInput(); and have input
text {{Form::text('username')}} it will automatically set input's value the old data - you don't need to code it yourself checking it
Also if you want to match fields with labels its much easier:
{{ Form::label('username', 'Enter username') }}
{{ Form::text('username') }}
it will generate the following code:
<label for="username">Enter username</label>
<input name="username" type="text" id="username">
so as you see id will be created automatically
Probably there are some more. However the main disadvantage is that you need to learn and it's not portable in case you want to move your site to other Framework but each solution has pros and cons.
There are so many advantages of using Laravel's Form component but one useful advantage is that, when you just use this:
{{ Form::open(array('url' => 'foo/bar')) }}
{{ Form::close() }}
It automatically appends a hidden _token field which is useful for CSRF protection. otherwise you have to manually create the _token field using echo Form::token() or other way maybe. Also, when you use RESTful routes then Laravel's Form component appends the corresponding hidden _method field as well. Following note is taken from Laravel website:
Note: Since HTML forms only support POST and GET, PUT and DELETE
methods will be spoofed by automatically adding a _method hidden field
to your form.
There are also other advantages like Form Model Binding, generating form elements (specially select) easily and many more. Read more about Form on documentation.
BTW, the Redirect::back()->withInput() doesn't deppend only on use of Form component, if you use something like this, for example:
<input type='text' name='username' value='<?php echo Input::old('username') ?>' />
This will still work, the field will be repopulated on redirect back with inputs.