dragon321723 2015-07-23 10:27
浏览 15
已采纳

防止Symfony内的“叠加表格”

Overposting a form is a common way of manipulating data / hacking a site. The cause for that possible security problem is the Form/Model Binder, that automatically binds a Form to an object. Within ASP.NET, I know how to protect against these sort of attacks.

We have a User Model, with the following fields: ID, Firstname, Lastname, Password. I want the user to be able to change his Firstname and Lastname. As we know, this happens within Symfony (and ASP.NET MVC) with a Form/Model Binder, that takes the "names" of the forms and maps these values to the corresponding object fields.

Solution in ASP.NET, using the [Bind] expression on each "Post-Controller":

public async Task<ActionResult> Create([Bind(Include="FirstName,Lastname")] Employee employee)

How can I prevent this kind of attack within a Symfony application? How to tell the Model/Form binder, which post data should only be accepted / expected?

@Edit: This question intended to know how to solve this kind of problem when using a FormType for multiple usecases, e.g. for Creation and Edit of an employee. I know that in general, Symfony Form Component already checks if there are any additional fields.

  • 写回答

2条回答 默认 最新

  • dpvr49226 2015-07-23 17:52
    关注
    class FooType extends AbstractType
{
    public function buildForm(FormBuilderInterface $builder, array $options)
    {
        if ($options['type'] === 'edit') {
            $builder->add('editMe');
            //More edit me fields
        }

        $builder->add('createMe');
        //more create me fields            
    }

    public function setDefaultOptions(OptionsResolverInterface $resolver)
    {
        $resolver->setRequired(array(
            'type'
        ));

        $resolver->setDefaults(array(
            'type' => 'create'
        ));
    }

    //For consistency 
    public function getName() 
    {
        return 'foo';
    }
}

    There is no need for extra events since it would be an overkill.

    Controller: 

    public function createFooAction(Request $request)
{
    $form = $this->createForm(new FooType(), new Foo());

    $form->handleRequest($request);
    if ($form->isValid() && $form->submitted()) {
        //flush form
    }

    return $this->render("AppBundle:Foo:create.html.twig", array(
        'form' => $form
    ));
}

public function editFooAction(Request $request, $id)
{
    $foo = ... //find($id)

    $form = $this->createForm(new FooType(), $foo, array(
        'type' => 'edit'
    ));

    $form->handleRequest($request);
    if ($form->isValid() && $form->submitted()) {
        //flush form
    }

    return $this->render("AppBundle:Foo:edit.html.twig", array(
        'form' => $form
    ));
}

    Bonus

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

  • 防止Symfony内的“叠加表格 php symfony
    2015-07-23 10:27
    回答 2 已采纳 class FooType extends AbstractType { public function buildForm(FormBuilderInterface $builder,
  • Symfony形成嵌入式表格 php symfony
    2018-12-19 08:42
    回答 1 已采纳 I had two problems which had to be fixed. First hint from u_mulder was that I have to use the inde
  • Symfony建设子表格 php symfony
    2017-01-16 11:44
    回答 1 已采纳 You have declared that you experiences subform is TextType, therefore {{ form_widget(form.experi
  • php Symfony 经典教程
    2024-01-08 09:32
    经典教程 英文版
  • Symfony 4表格 - 阿贾克斯选择人口 ajax php symfony
    2019-03-25 13:55
    回答 1 已采纳 I finally made it. Added EventListener, everything else is basically the same. My form: public f
  • 如何防止Symfony的空值 php symfony
    2016-02-22 13:44
    回答 2 已采纳 Use validation in your entity. Example: use Symfony\Component\Validator\Constraints as Assert; c
  • Symfony教程中的PHP语法 php symfony
    2017-04-30 18:06
    回答 2 已采纳 This is in fact method chaining. The new lines between separate method calls is only for better co
  • php Symfony The.Fast.Track
    2024-01-11 11:25
    介绍了symfony这个领先的PHP开发框架,展示如何利用symfony的众多功能更快更有效率地开发Web应用程序,即使你只懂一点PHP也没有关系。在《Symfony》里,你将了解如何使用symfony建立Web应用程序。“基础知识”篇,...
  • PHP Symfony多对多形式 php symfony
    2018-05-29 16:30
    回答 1 已采纳 You don'e need to add an intermediate entity (bestelregel here), unless it has to have its own uni
  • PHP symfony路由问题 apache php symfony
    2016-09-28 17:06
    回答 1 已采纳 As Cerad says, you need to set your DocumentRoot directive to point at C:\xampp\htdocs\company\PHP
  • symfony内置服务器高CPU使用率 php symfony
    2016-07-26 15:28
    回答 1 已采纳 PHP's built-in web server is only meant to be used during development: Warning This web server
  • Symfony 高性能php框架-PHP
    2021-06-20 15:41
    简单的模板功能symfony是一个开源的PHP Web框架。基于最佳Web开发实践,已经有多个网站完全采用此框架开发,symfony的目的是加速Web应用的创建与维护。它的特点如下: 缓存管理 自定义URLs 搭建了一些基础模块 多...
  • symfony查询构建器中的内部联接 php symfony
    2018-10-17 19:36
    回答 2 已采纳 It's right here ->from('ExpenditureBundle:ExpenditureCategories', 'c') ->leftJoin('
  • Symfony高性能php框架-PHP
    2021-06-20 16:07
    Symfony是一个用于Web和控制台应用程序的PHP框架,以及一组可重用的PHP组件。数以千计的Web应用程序(包括BlaBlaCar.com和Spotify.com)和大多数流行的PHP项目(包括Drupal和Magento)都使用Symfony。特点:缓存管理...
  • Symfony 高性能php框架 v4.1.8
    2020-10-05 14:21
    简单的模板功能symfony是一个开源的PHP Web框架。基于最佳Web开发实践,已经有多个网站完全采用此框架开发,symfony的目的是加速Web应用的创建与维护。它的特点如下:缓存管理自定义
  • Symfony 高性能php框架 v4.0.6
    2020-11-07 09:33
    简单的模板功能symfony是一个开源的PHP Web框架。基于最佳Web开发实践,已经有多个网站完全采用此框架开发,symfony的目的是加速Web应用的创建与维护。它的特点如下: 缓存管理 自定义
  • symfonySymfony PHP框架
    2021-02-04 00:36
    是一个用于Web和控制台应用程序的PHP框架,以及一组可重复使用的PHP组件。 数以千计的Web应用程序(包括BlaBlaCar.com和Spotify.com)和大多数(包括Drupal和Magento)都使用Symfony。安装使用Composer (请参阅)。...
  • Symfony 高性能php框架 v3.2.1
    2020-12-03 06:38
    简单的模板功能symfony是一个开源的PHP Web框架。基于最佳Web开发实践,已经有多个网站完全采用此框架开发,symfony的目的是加速Web应用的创建与维护。它的特点如下: 缓存管理 自定义URLs 搭建了一些基础模块 多...
  • Symfony 高性能php框架 v4.0.8
    2020-10-13 22:14
    简单的模板功能symfony是一个开源的PHP Web框架。基于最佳Web开发实践,已经有多个网站完全采用此框架开发,symfony的目的是加速Web应用的创建与维护。它的特点如下: 缓存管理 自定义
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!
  • ¥15 drone 推送镜像时候 purge: true 推送完毕后没有删除对应的镜像,手动拷贝到服务器执行结果正确在样才能让指令自动执行成功删除对应镜像,如何解决?
  • ¥15 求daily translation(DT)偏差订正方法的代码
  • ¥15 js调用html页面需要隐藏某个按钮