Laravel 5.6 will include two new form blade directives for cross-site request forgery (CSRF) and HTTP method input, thanks to Taylor Otwell.
Went ahead and added both of these for Laravel 5.6 ????♂️ pic.twitter.com/tLLKVSRSQe
— Taylor Otwell ????♂️ (@taylorotwell) December 1, 2017
In Laravel 5.5 you do the following at the top of forms to create hidden inputs for the CSRF token and the spoofed HTTP method:
<form> {{ csrf_field() }} {{ method_field('PUT') }} <!-- ... --></form>
Starting in Laravel 5.6 you can do the following instead:
<form> @method('put') @csrf <!-- ... --></form>
Laravel makes it easy to protect your site against CSRF attacks without any work on your part. However, if you want to submit a form successfully you must include a CSRF token input to verify that the form submission came from the application and not from another site.
Secondly, since HTML forms can’t make PUT
, PATCH
, or DELETE
requests you need to add a hidden _method
input to spoof these HTTP verbs. Laravel uses the _method
input to route the request to the appropriate controller action correctly.
These directives will be out with Laravel 5.6 when it ships next year! Here’s the commit if you want to see the source code related to this feature.
I feel like the new directives are more instinctive and more natural to remember, however, the helper functions are still available for use if you prefer.
Filed in:
Full stack web developer. Author of Lumen Programming Guide and Docker for PHP Developers.