Jelix - The revealing, Token ¶

Since Jelix of 1.1RC1, the appearance of the “fight” against CSRF with the tokens, not only to secure your forms, fully automatically and transparently, but not only!

How ?

Let suppose we edit an article 1 from the url http://localhost/article/edit/1

the code of the method “edit” will be :

function edit {
// get the ID from the URL 
$id = (integer) $this->param('id');
// if the validate button is not used, we initiate a form
if ($this->param('validate') == '') {
   $form = jForms::get('article~artdao',$id);
}
// the the validate button is submitted
else {
   // get the form instance
   $form = jForms::fill('article~artdao');
   $form->saveToDao('article~artdao',$id);
}
}

What will happened with this code ?

1. The access of the edit page will be fine.
2. The save of the data wont be fin and we will haev an error message :

[exception 835]  Invalid form token, you should fill the form correctly from the site ..lib/jelix/forms/jFormsBase.class.php 142

Even if we empty the cache of the application nothing will change, nothing will work…

So what's wrong ; why this error message ?

Just because during the initialisation of the $form instance (with jForms::get() ) we gave the ID parameter but we didnt use it with :

   $form = jForms::fill('article~artdao');

So, replace the code above, by this one

   $form = jForms::fill('article~artdao',$id);

and then the error message about the token will gone with the wind ;)

So here is a way to check that our form is correctly manage with the anti CSRF function