WEBVTT

NOTE Created by CaptionSync from Automatic Sync Technologies www.automaticsync.com

00:00:01.006 --> 00:00:05.236 align:middle
Inside our JavaScript, we're making
a POST request to the endpoint.

00:00:05.616 --> 00:00:06.776 align:middle
And that makes sense.

00:00:07.116 --> 00:00:12.726 align:middle
The topic of "which HTTP method"
- like GET, POST, PUT, etc -

00:00:13.146 --> 00:00:15.596 align:middle
you're supposed to use for an API endpoint...

00:00:15.746 --> 00:00:17.216 align:middle
can get complicated.

00:00:17.646 --> 00:00:23.856 align:middle
But because our endpoint will eventually change
something in the database, as a best-practice,

00:00:24.116 --> 00:00:27.896 align:middle
we don't want to allow people
to make a GET request to it.

00:00:28.466 --> 00:00:32.626 align:middle
Right now, we can make a GET request
by just putting the URL in our browser.

00:00:32.946 --> 00:00:34.496 align:middle
Hey! I just voted!

00:00:35.546 --> 00:00:40.596 align:middle
To tighten this up, in CommentController,
we can make our route smarter:

00:00:40.986 --> 00:00:44.946 align:middle
we can tell it to only match
if the method is POST.

00:00:45.516 --> 00:00:48.506 align:middle
To do that add methods="POST".

00:00:49.836 --> 00:00:52.336 align:middle
As soon as we do that, when we refresh...

00:00:52.376 --> 00:00:54.656 align:middle
404 not found!

00:00:55.046 --> 00:00:57.276 align:middle
The route no longer matches.

00:00:57.956 --> 00:01:00.436 align:middle
Another cool way to see this
is at your terminal.

00:01:00.846 --> 00:01:05.176 align:middle
Run: php bin/console router:match.

00:01:05.716 --> 00:01:07.276 align:middle
Then go copy the URL...

00:01:11.686 --> 00:01:12.466 align:middle
and paste it.

00:01:13.246 --> 00:01:17.386 align:middle
This fun command tells us which
route matches a given URL.

00:01:17.826 --> 00:01:21.466 align:middle
In this case, no routes match, but it tells us

00:01:21.466 --> 00:01:26.196 align:middle
that it almost matched the
app_comment_commentvote route.

00:01:26.746 --> 00:01:33.226 align:middle
To see if a POST request would match
this route, pass -- method=POST: And...

00:01:33.306 --> 00:01:39.296 align:middle
boom! It shows us the route that matched and
ALL its details, including the controller.

00:01:39.916 --> 00:01:42.746 align:middle
But there's something else that's
not quite right with our route.

00:01:42.746 --> 00:01:48.676 align:middle
We're expecting that the {direction}
part will either be up or down.

00:01:49.116 --> 00:01:53.426 align:middle
But... technically, somebody
could put banana in the URL.

00:01:53.426 --> 00:01:59.996 align:middle
In fact, let's try that: change
the direction to banana: Yes!

00:02:00.336 --> 00:02:02.566 align:middle
We vote "banana" for this comment!

00:02:03.276 --> 00:02:04.996 align:middle
This isn't the end of the world...

00:02:05.516 --> 00:02:11.526 align:middle
if a bad user tried to hack our system and
did this, it would just be a down vote.

00:02:11.526 --> 00:02:13.156 align:middle
But we can make this better.

00:02:13.696 --> 00:02:17.856 align:middle
As you know, normally a wildcard
matches anything.

00:02:18.446 --> 00:02:23.456 align:middle
However, if you want, you can control
that with a regular expression.

00:02:24.146 --> 00:02:28.696 align:middle
Inside the {}, but after the name, add &lt;&gt;.

00:02:29.016 --> 00:02:33.966 align:middle
Inside, say up|down.

00:02:36.306 --> 00:02:39.686 align:middle
Now try the router:match command: Yes!

00:02:39.966 --> 00:02:43.696 align:middle
It does not match because
banana is not up or down.

00:02:44.236 --> 00:02:49.906 align:middle
If we change this to up, it works:
By the way, you might be tempted

00:02:49.906 --> 00:02:53.766 align:middle
to also make the {id} wildcard smarter.

00:02:54.366 --> 00:03:01.416 align:middle
Assuming we're using auto-increment database
ids, we know that id should be an integer.

00:03:02.086 --> 00:03:10.396 align:middle
To make this route only match if the
id part is a number, you an add &lt;\d+&gt;,

00:03:10.786 --> 00:03:15.476 align:middle
which means: match a "digit" of any length.

00:03:15.476 --> 00:03:18.736 align:middle
But... I'm actually not going to put that here.

00:03:19.246 --> 00:03:24.606 align:middle
Why? Eventually, we're going to
use $id to query the database.

00:03:25.246 --> 00:03:27.956 align:middle
If somebody puts banana here, who cares?

00:03:28.346 --> 00:03:31.926 align:middle
The query won't find any
comment with an id of banana

00:03:31.926 --> 00:03:35.286 align:middle
and we will add some code to return a 404 page.

00:03:35.906 --> 00:03:41.946 align:middle
Even if somebody tries an SQL injection attack,
as you'll learn later in our database tutorial,

00:03:42.316 --> 00:03:46.836 align:middle
it will still be ok, because the
database layer protects against this.

00:03:47.426 --> 00:03:49.276 align:middle
Let's make sure everything still works.

00:03:49.906 --> 00:03:53.036 align:middle
I'll close one browser tab
and refresh the show page.

00:03:54.176 --> 00:03:56.276 align:middle
Yea! Voting still looks good.

00:03:57.026 --> 00:04:03.696 align:middle
Next, let's get a sneak peek into the most
fundamental part of Symfony: services.