Search code examples
formssymfonygetcsrf

symfony disable csrf protection for classles form with get method

I have classless form, using GET method and can't disable csrf protection. I want to use GET method, because the user must have the option to give a link to his/her search. When user submits the form, _token appears in the URL. If another user tries to use it, you know, "The CSRF token is invalid. Please try to resubmit the form." appears.

This is the function in the controller:

 /**
 * @Route("/tips/all", name="all_tips")
 */
public function listAction(Request $request)
{
    $period = 0;
    $sport = array('3', '4', '15', '19', '20', '29', '33');
    $defaultData = array(
        'csrf_protection' => false,
        'period' => 0,
        'sport' => $sport,
    );
    $form = $this->createFormBuilder($defaultData)
        ->add('period', 'choice',
            array('choices' => array(
                '0' => "All time",
                '1' => "Last month",
                '2' => "Last 3 months",
                '3' => "Last year",
            ),
                'expanded' => false,
                'multiple' => false,
            )
        )
        ->add('sport', 'choice',
            array('choices' => array(
                '3' => 'Baseball',
                '4' => 'Basketball',
                '15' => 'Football',
                '19' => 'Hockey',
                '29' => 'Soccer',
                '33' => 'Tennis',
            ),
                'expanded' => true,
                'multiple' => true,
                'data' => $sport,
            ))
        ->add('send', 'submit')
        ->setMethod('GET')
        ->getForm();

    $form->handleRequest($request);

    if ($form->isSubmitted() && $form->isValid()) {
        $data = $form->getData();
        $period = $data['period'];
        $sport = $data['sport'];
    }

    $em = $this->getDoctrine()->getManager();
    $addSport = !empty($sport) ? '  p.sport in (' . implode(',', $sport) . ')' : '';
    $dql = "
        SELECT
            p
        FROM
            AppBundle:Predictions p
        WHERE " .
        $addSport .
        $this->fromTo($period, 'dql');
    $query = $em->createQuery($dql);
    $paginator = $this->get('knp_paginator');
    $pagination = $paginator->paginate(
        $query, $request->query->getInt('page', 1), 50, array(
            'defaultSortFieldName' => 'p.predictDate',
            'defaultSortDirection' => 'DESC',
        )
    );
    return $this->render('AppBundle:Tips:all.html.twig', array(
        'pagination' => $pagination,
        'form' => $form->createView(),
    ));
}

This is the code in twig

{{ form_start(form) }}
{{ form_widget(form) }}
{{ form_end(form) }}

My Symfony version is v2.8.45.

I tried to pass 'csrf_protection' => false, in the default options, but it seems not to work.

What I'm doing wrong?

Edit: Meh, I just saw the possibility for SQL injection. :-( I'll fix it.

Solution

  • The problem is that you have added the csrf_protection option inside the data array instead of the options array. The declaration of the createFormBuilder method is:

    protected function createFormBuilder($data = null, array $options = array())

    So you have to change your code like this:

    $defaultData = array(
    'period' => 0,
    'sport' => $sport,
);

$options = array('csrf_protection' => false);

$form = $this->createFormBuilder($defaultData, $options)
        ...