Chapters

8 Chapters | 13:26 |

01

Creating a Form Type Class

4:51
02

Rendering the Form

3:36
03

Processing the Submitted Form

4:59
04

Multiple Submit Buttons

(coming soon)
05

Built-in Symfony Form Themes

(coming soon)
06

Client-side vs Server-side Validation

(coming soon)
07

Validation Constraints

(coming soon)
08

Organizing Form Fields

(coming soon)

> Symfony 7 > Symfony 7 Forms: The Basics

Buy Access to Course

07.

Validation Constraints

Autoplay

Lucky you! You found an early release chapter - it will be fully polished and published shortly!

This Chapter isn't quite ready...

Rest assured, the gnomes are hard at work
completing this video!

Previous Chapter

Next Chapter

In the previous chapter, we installed the Symfony Validator Component and applied our first validation constraint to the name field. This setup helps us catch errors when we submit an empty form bypassing client-side HTML5 validation.

However, our validation is currently tucked away inside the form type. This setup is fine until we create another form for the same StarshipPart entity. If we did that, we'd end up duplicating all constraints in the new form type.

Adding Validation to Entity Properties

A better approach is to attach validation directly to the entity itself. That way, every form automatically benefits. Moreover, it will be useful if we decide to validate the entity object itself without using forms.

Let's start by commenting out the constraint in the form type. Next, open up the StarshipPart entity. Right above the $name property, start typing #[NotBlank()]. PhpStorm gives me a few options, and I'll go with Assert\NotBlank. This command creates a common Assert alias for our constraint namespace for convenience. Inside, we can specify a message: I'll go borrow the exact message from the form type:

Every part should have a name!

Adding More Constraints

While we're here, let's add a rule for the $price property too. Because you know, we can't have Starship parts going for free, they are quite expensive. So above the $price, add #[Assert\GreaterThan() where set value to 0. We can also customize the message here, how about:

StarshipPart cannot be free!

Perfect.

Now, let's try our form again. Hm, oddly, we still see the name error only. Where is our new validation error for the price? This is actually expected behaviour. Most validation constraints are ignored when the value is null to prevent tripping up on optional fields. But NotBlank is different - it rejects nulls outright. So, just add another constraint above: #[Assert\NotBlank()] with a message saying:

You forgot to set the price!

Remember, you can stack as many constraints as you want on the same field.

Now, let's submit the empty form again. Finally, we're getting 2 errors. And if we set the price to 0 and try again, we'll see a slightly different error message coming from another validation constraint. Perfect!

Benefits of Symfony Form Validation

Here's a cool detail: When a form is invalid, Symfony automatically returns a 422 Unprocessable Content HTTP status code when rendering the invalid form. You can see the status in your browser's network tab or in your WDT. This behavior ensures compatibility with tools that rely on the HTTP specification, like Symfony UX Turbo.

Symfony handles this for us automatically because we send the whole Form object to the Twig template rather than manually calling createView() on the Form object before passing the form to the template. This is the recommended way to go, so the integration with Symfony UX works well.

Plus, the WDT becomes super handy for errors too. You'll see a form icon with the number of errors your form contains. We have 2 now. If you click on it to open the WDT Form tab, you can discover which form type class is responsible for this form. Click on the field name for useful information you might need during the debugging.

Debugging Validation Issues

There's also a Validator tab that provides more details about the errors you're encountering. If you switch to the Validator tab, you'll see similar data but presented slightly different with more context regarding validation constraint, e.g. their names that makes it easier to pinpoint the exact error and the specific fields it relates to.

This tab is especially handy when you use the Validator Component outside of forms. Regardless of your setup, Symfony gives us everything we need to debug validation issues.

Understanding CSRF Protection

Now, let’s talk about another important concept: CSRF protection. CSRF stands for Cross-Site Request Forgery. It’s a type of attack where a malicious website tricks your browser into sending a request you didn’t intend — for example, submitting a form or clicking a button on another site without your knowledge.

To prevent this, web frameworks use CSRF tokens — random values that prove the request really came from your app and not some other site. In traditional CSRF protection, the server generates a token and puts it into each form via a hidden field. When the form is submitted, the server checks that the token is valid. If it’s missing or wrong, the request is rejected and the CSRF validation error is shown. This stops attackers from forging requests.

Symfony supports this built-in. You usually install the CSRF package and it will automatically add tokens to forms and check them for you. That’s the classic (stateful) approach.

But in newer Symfony versions, there’s also stateless CSRF protection — useful for apps that don’t want to rely on sessions. Instead of storing tokens on the server, Symfony checks things like the request’s Origin or Referer, and (if JavaScript/Stimulus is used) optionally uses a cookie + header token that the browser sends along with the form. This works well with modern front-end tools like Stimulus controllers in Symfony UX.

Installing the CSRF protection

Head to the terminal and install it:

symfony composer require csrf

Oops, turns out there's no such package. Instead, we should use symfony/security-csrf:

symfony composer require symfony/security-csrf

As soon as that package is installed, CSRF protection is enabled for all Symfony forms by default making your forms more secure out of the box.

Checking CSRF Protection

You can see this for yourself. Head over to the form page, refresh it, and open your browser's HTML inspector. Inside our form, you'll find a hidden input type wired to a csrf-protection Stimulus controller.

The easiest way to see it in action, try modifying the CSRF field value in the browser. Replace it with any random string, e.g. "fake" and submit the form. You'll get an error:

The CSRF token is invalid. Please try to resubmit the form.

Just like that, Symfony has blocked an invalid request and returned an error, preventing any write actions from being executed.

And that's how form validation should be done. You add validation constraints to the properties that should be required or should follow specific rules and your form will stick to those rules where we will call $form->isValid() on it.

Up next, we will see how to render form fields in a specific order pushing important fields up and shift optional down. Stay tuned!

Symfony 7.3

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "babdev/pagerfanta-bundle": "^4.5", // v4.5.0
        "doctrine/dbal": "^3", // 3.10.3
        "doctrine/doctrine-bundle": "^2.13", // 2.18.0
        "doctrine/doctrine-migrations-bundle": "^3.3", // 3.5.0
        "doctrine/orm": "^3.3", // 3.5.3
        "knplabs/knp-time-bundle": "^2.2", // v2.4.0
        "pagerfanta/doctrine-orm-adapter": "^4.7", // v4.7.2
        "php-cs-fixer/shim": "^3.46", // v3.89.1
        "phpdocumentor/reflection-docblock": "^5.3", // 5.6.3
        "phpstan/phpdoc-parser": "^2.0", // 2.3.0
        "stof/doctrine-extensions-bundle": "^1.12", // v1.14.0
        "symfony/asset": "7.3.*", // v7.3.0
        "symfony/asset-mapper": "7.3.*", // v7.3.5
        "symfony/console": "7.3.*", // v7.3.5
        "symfony/dotenv": "7.3.*", // v7.3.2
        "symfony/flex": "^2", // v2.9.0
        "symfony/form": "7.3.*", // v7.3.5
        "symfony/framework-bundle": "7.3.*", // v7.3.5
        "symfony/http-client": "7.3.*", // v7.3.4
        "symfony/monolog-bundle": "^3.0", // v3.10.0
        "symfony/property-access": "7.3.*", // v7.3.3
        "symfony/property-info": "7.3.*", // v7.3.5
        "symfony/runtime": "7.3.*", // v7.3.4
        "symfony/security-csrf": "7.3.*", // v7.3.0
        "symfony/serializer": "7.3.*", // v7.3.5
        "symfony/stimulus-bundle": "^2.13", // v2.31.0
        "symfony/twig-bundle": "7.3.*", // v7.3.4
        "symfony/ux-turbo": "^2.13", // v2.31.0
        "symfony/validator": "7.3.*", // v7.3.6
        "symfony/yaml": "7.3.*", // v7.3.5
        "symfonycasts/tailwind-bundle": "^0.9.0", // v0.9.0
        "twig/extra-bundle": "^2.12|^3.0", // v3.22.0
        "twig/twig": "^2.12|^3.0" // v3.22.0
    },
    "require-dev": {
        "symfony/debug-bundle": "7.3.*", // v7.3.5
        "symfony/maker-bundle": "^1.52", // v1.64.0
        "symfony/stopwatch": "7.3.*", // v7.3.0
        "symfony/web-profiler-bundle": "7.3.*", // v7.3.5
        "zenstruck/foundry": "^2.7" // v2.7.7
    }
}