Trace: • token
Jelix - The revealing, Token ¶
Since Jelix of 1.1RC1, the appearance of the “fight” against CSRF with the tokens, not only to secure your forms, fully automatically and transparently, but not only!
How ?
Let suppose we edit an article 1 from the url http://localhost/article/edit/1
the code of the method “edit” will be :
function edit { // get the ID from the URL $id = (integer) $this->param('id'); // if the validate button is not used, we initiate a form if ($this->param('validate') == '') { $form = jForms::get('article~artdao',$id); } // the the validate button is submitted else { // get the form instance $form = jForms::fill('article~artdao'); $form->saveToDao('article~artdao',$id); } }
What will happened with this code ?
- The access of the edit page will be fine.
- The save of the data wont be fin and we will haev an error message :
[exception 835] Invalid form token, you should fill the form correctly from the site ..lib/jelix/forms/jFormsBase.class.php 142
Even if we empty the cache of the application nothing will change, nothing will work…
So what's wrong ; why this error message ?
Just because during the initialisation of the $form instance (with jForms::get() ) we gave the ID parameter but we didnt use it with :
$form = jForms::fill('article~artdao');
So, replace the code above, by this one
$form = jForms::fill('article~artdao',$id);
and then the error message about the token will gone with the wind ;)
So here is a way to check that our form is correctly manage with the anti CSRF function