bradsi
11/19/2019 - 10:30 PM

Form Handling and CSRF Protection

snippet.md
content_copyfile_download
  • Rendered
  • Source

Form Handling and CSRF Protection

CREATE

  • Route:

    • Route::get('/projects/create', 'ProjectsController@create');
    • Route::post('/projects', 'ProjectsController@store');

  • Controller:

    • create create method
      • return view
    • create store method
      • $project = new Project();
      • $project->title = request('title');
      • $project->description = request('decription');
      • $project->save();
      • return redirect('/projects');

  • View:

    • create new view with form
    • form method = POST, form action = /projects

PATCH

  • Route:
  • Controller:
    • create edit method with id param
      • $project = Project::find($id)
      • return view and pass project
    • create update method with id param
      • fetch project as above
      • $project->title = request('title');
      • $project->description = request('description');
      • $project->save();
      • return redirect('/projects');
  • View:
    • create form
      • populate fields with values i.e. value="{{ $project->title }}"
    • form method = POST, form action = /projects/{{ $project->id }}
    • @method('PATCH')

DELETE

  • Controller:
    • add destroy method, pass id
    • Project::find($id)->delete();
    • return redirect('/projects');'
  • View:
    • add form, can be on edit view, form method = POST, action = /projects/{{ $project->id }}
    • @method('DELETE')

CSRF Protection

  • Always include a hidden CSRF token field in any HTML form so that the CSRF protection middleware can validate the request
  • Use the @csrf Blade directive

ID Doesn't Exist

  • Instead of using the find() method, we can use findOrFail(), which will fail gracefully and present a 404 if the user passes an ID which doesn't exist in the db.