symfony disable csrf protection for classles form with get method

I have classless form, using GET method and can't disable csrf protection.
I want to use GET method, because the user must have the option to give a link to his/her search. When user submits the form, _token appears in the URL. If another user tries to use it, you know, "The CSRF token is invalid. Please try to resubmit the form." appears.

This is the function in the controller:

/**
* @Route("/tips/all", name="all_tips")
*/
public function listAction(Request $request)

$period = 0;
$sport = array('3', '4', '15', '19', '20', '29', '33');
$defaultData = array(
'csrf_protection' => false,
'period' => 0,
'sport' => $sport,
);
$form = $this->createFormBuilder($defaultData)
->add('period', 'choice',
array('choices' => array(
'0' => "All time",
'1' => "Last month",
'2' => "Last 3 months",
'3' => "Last year",
),
'expanded' => false,
'multiple' => false,
)
)
->add('sport', 'choice',
array('choices' => array(
'3' => 'Baseball',
'4' => 'Basketball',
'15' => 'Football',
'19' => 'Hockey',
'29' => 'Soccer',
'33' => 'Tennis',
),
'expanded' => true,
'multiple' => true,
'data' => $sport,
))
->add('send', 'submit')
->setMethod('GET')
->getForm();

$form->handleRequest($request);

if ($form->isSubmitted() && $form->isValid())
$data = $form->getData();
$period = $data['period'];
$sport = $data['sport'];


$em = $this->getDoctrine()->getManager();
$addSport = !empty($sport) ? ' p.sport in (' . implode(',', $sport) . ')' : '';
$dql = "
SELECT
p
FROM
AppBundle:Predictions p
WHERE " .
$addSport .
$this->fromTo($period, 'dql');
$query = $em->createQuery($dql);
$paginator = $this->get('knp_paginator');
$pagination = $paginator->paginate(
$query, $request->query->getInt('page', 1), 50, array(
'defaultSortFieldName' => 'p.predictDate',
'defaultSortDirection' => 'DESC',
)
);
return $this->render('AppBundle:Tips:all.html.twig', array(
'pagination' => $pagination,
'form' => $form->createView(),
));



This is the code in twig

form_start(form)
form_widget(form)
form_end(form)


My Symfony version is v2.8.45.

I tried to pass 'csrf_protection' => false, in the default options, but it seems not to work.

What I'm doing wrong?

Edit: Meh, I just saw the possibility for SQL injection. :-( I'll fix it.

1 Answer
1

The problem is that you have added the csrf_protection option inside the data array instead of the options array. The declaration of the createFormBuilder method is:

protected function createFormBuilder($data = null, array $options = array())


So you have to change your code like this:

$defaultData = array(
'period' => 0,
'sport' => $sport,
);

$options = array('csrf_protection' => false);

$form = $this->createFormBuilder($defaultData, $options)
...


Thanks for contributing an answer to Stack Overflow!

But avoid …

To learn more, see our tips on writing great answers.

Required, but never shown

Required, but never shown

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.