2

I have a Symfony2 form that has required fields, which works fine in most browsers as the "required" attribute is on the inputs and so the user is unable to submit the form without filling in the field.

However, for the browsers that don't support the "required" attribute the form is submitted. This is causing a problem because when the form's isValid() function is called it returns true even though the required fields are empty.

Is this normal behaviour? I would assume there would be some server side checking of required fields during the form's handleRequest function but it doesn't seem to have any. If not is there a way to enable this?

Improve this question
1
  • Remember, anyone can inpect the DOM and remove the required attribute, this is why you shouldn't rely on it alone. Add a constraint to your form element to ensure it is there. E.g. Symfony\Component\Validator\Constraints\NotBlank Commented Feb 7, 2017 at 11:54

1 Answer 1

Reset to default
5

You either need to check those things manually or you need to define validation constraints in your entity, to enable automatic validation.

If Symfony doesn't now what to check, it can do the validation.

Here's an example from the documentation linked above.

// src/AppBundle/Entity/Author.php

// ...
use Symfony\Component\Validator\Constraints as Assert;

class Author
{
    /**
     * @Assert\NotBlank()
     */
    public $name;
}

With this Constraint you're telling Symfony, that the name field mustn't be empty. So if the field will be submitted empty, the form validation will fail.

Never trust client side validation, since those can be modified and invalidated easily

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks, that worked. I would have assumed the Form object would perform the validation on both front end and back end (especially when calling isValid), it seems a bit silly having to define the same validation in two separate places. If the Form only performs front end validation then it's pretty useless as you can't rely on it and have to re-check everything on the backend. But I can't complain as it's working now :)
The required field is just an option for the view of the form, but not for the data that lies behind the form. That's why this only affects the view, but not the server side validation.
As I'm aware, the recommendation is not to use anymore the Assert annotation (even though the official documentation encourages it). The fix is to import the respective validation class (like NotBlank), and then just /** *@NotBlank() */ above the property name. Not a big deal though, I guess...
@DanCostinel thank you for that information, I didn't know about that yet.
np. see this presentation for more info.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.