Yii::$app->request->post() is always empty

tklustig · March 29, 2019, 10:06pm

Hi guys,
In my application, I use following form:

<?php
use yii\helpers\Html;
use kartik\widgets\ActiveForm;

ActiveForm::begin([
'type' => ActiveForm::TYPE_VERTICAL,
'formConfig' => [
    'showLabels' => false
]]);
$this->title = Yii::t('app', 'Zusammenfassung');
?>
<div class="page-header">
<br><br><center>
    <h1><?= Html::encode($this->title) ?></h1></center>
</div>
<div class="jumbotron">
<div class="container">
    <div class="row">
        <div class="col-md-12">
            <p>Folgende Bankdaten werden nach Ihrem Submit abgespeichert:</p>
        </div>
        <div class="col-md-3">
            <p>Ihre eingegebenen Daten:</p>
        </div>
        <div class="col-md-3">
            <p>Länderkennung: <?= $laenderkennung ?></p>
        </div>
        <div class="col-md-3">
            <p>Kontonummer: <?= $kontonummer ?></p>
        </div>
        <div class="col-md-3">
            <p>Bankleitzahl: <?= $blz ?></p>
        </div>
        <div class="col-md-12">
            <p>Die ermittelten Webservicedaten:</p>
        </div>
        <div class="col-md-3">
            <p>Institut: <?= $institut ?></p>
        </div>  
        <div class="col-md-3">
            <p>BIC: <?= $bic ?></p>
        </div>         
        <div class="col-md-3">
            <p>IBAN: <?= $iban ?></p>
        </div> 
        <div class="col-md-3">
            <p>KundenId: <?= $id ?></p>
        </div> 
    </div>
</div>
</div>
<div class="form-group">              
<?= Html::submitButton(Yii::t('app', 'Weiter'), ['class' => 'btn btn-info']) ?>
<?= Html::a(Yii::t('app', 'Cancel'), ['/site/index'], ['class' => 'btn btn-danger']) ?>
</div>
<?php
ActiveForm::end();
?>

and following action method in Controller:

public function actionConclusion($id, $laenderkennung, $kontonummer, $blz, $institut, $bic, $iban) {
    $model = new Bankverbindung();
    $modelKunde = $this->findModelKunde($id);
    print_r('<br><br><br>');
    var_dump(Yii::$app->request->post());
    if (Yii::$app->request->post()) {
        $model->laenderkennung = $laenderkennung;
        $model->institut = $institut;
        $model->blz = $blz;
        $model->kontoNr = $kontonummer;
        $model->iban = $iban;
        $model->bic = $bic;
        $model->kunde_id = $id;
        //ToDO:Save record into database in Transaction
        $model->save();
        $modelKunde->bankverbindung_id = $model->id;
        $modelKunde->save();
        $this->redirect(['/bankverbindung/index']);
    } else {
        return $this->render('_form_conclusion', [
                    'id' => $id,
                    'laenderkennung' => $laenderkennung,
                    'kontonummer' => $kontonummer,
                    'blz' => $blz,
                    'institut' => $institut,
                    'bic' => $bic,
                    'iban' => $iban
        ]);
    }
}

Whenever I push Submittbutton(‘Weiter’) ,
var_dump(Yii::$app->request->post());
will show empty array. Condition always will be false. What could cause this trouble?

This is output of Domexplorer:

>  <form id="w0" class="form-vertical" action="/yii2_ErkanImmo/backend/web/index.php/bankverbindung_conc?id=15&amp;laenderkennung=DE&amp;kontonummer=1911869221&amp;blz=25050180&amp;institut=Sparkasse+Hannover+Hannover&amp;bic=SPKHDE2HXXX&amp;iban=DE92250501801911869221" method="post" role="form"><div class="page-header">
>     <br><br><center>
>         <h1>Zusammenfassung</h1></center>
> </div>
> <div class="jumbotron">
>     <div class="container">
>         <div class="row">
>             <div class="col-md-12">
>                 <p>Folgende Bankdaten werden nach Ihrem Submit abgespeichert:</p>
>             </div>
>             <div class="col-md-3">
>                 <p>Ihre eingegebenen Daten:</p>
>             </div>
>             <div class="col-md-3">
>                 <p>Länderkennung: DE</p>
>             </div>
>             <div class="col-md-3">
>                 <p>Kontonummer: 1911869221</p>
>             </div>
>             <div class="col-md-3">
>                 <p>Bankleitzahl: 25050180</p>
>             </div>
>             <div class="col-md-12">
>                 <p>Die ermittelten Webservicedaten:</p>
>             </div>
>             <div class="col-md-3">
>                 <p>Institut: Sparkasse Hannover Hannover</p>
>             </div>  
>             <div class="col-md-3">
>                 <p>BIC: SPKHDE2HXXX</p>
>             </div>         
>             <div class="col-md-3">
>                 <p>IBAN: DE92250501801911869221</p>
>             </div> 
>             <div class="col-md-3">
>                 <p>KundenId: 15</p>
>             </div> 
>         </div>
>     </div>
> </div>
> <div class="form-group">              
>     <button type="submit" class="btn btn-info">Weiter</button>    <a class="btn btn-danger" href="/yii2_ErkanImmo/backend/web/index.php/home">Cancel</a></div>
> </form>

Yii Debugger will show this:

$_GET

Name	Value
id	‘15’
laenderkennung	‘DE’
kontonummer	‘1911869221’
blz	‘25050180’
institut	‘Sparkasse Hannover Hannover’
bic	‘SPKHDE2HXXX’
iban	‘DE92250501801911869221’

$_POST

Empty.

softark · March 29, 2019, 10:38pm

It’s because your form has no input in it.

tklustig · March 29, 2019, 10:51pm

What do you mean, with no input in it?
What kind of input should be in it?
Input is given by parameters from Controller, isn’t it?

tklustig · March 29, 2019, 11:05pm

Ahhh, no I seem to understand what u mean. I have to put at least one field like this:

   <div class="col-md-3">
            <?=
            $form->field($model, 'laenderkennung', ['addon' => [
                    'prepend' => ['content' => 'laenderkennung']]])->textInput(['maxlength' => true, 'value' =>$laenderkennung, 'readOnly' => true])
            ?>
            <p>Länderkennung: <?= $laenderkennung ?></p>
        </div>

softark · March 29, 2019, 11:08pm

This line checks whether POST array is not empty. It doesn’t check whether the method is post.

You could use

if (Yii::$app->request->isPost) {

instead.

https://www.yiiframework.com/doc/api/2.0/yii-web-request#$isPost-detail

tklustig · March 29, 2019, 11:14pm

Ohh. Okay. Many greetings for ur efforts helping me. Coding form like this, $_POST won’t be empty any more, all records will be saved into database:

<?php

use yii\helpers\Html;
use kartik\widgets\ActiveForm;

$form = ActiveForm::begin([
            'id' => 'dynamic-form',
            'type' => ActiveForm::TYPE_VERTICAL,
            'formConfig' => [
                'showLabels' => false
        ]]);
$this->title = Yii::t('app', 'Zusammenfassung');
?>
<div class="page-header">
    <br><br><center>
        <h1><?= Html::encode($this->title) ?></h1></center>
</div>
<div class="jumbotron">
    <div class="container">
        <div class="row">
            <div class="col-md-12">
                <p>Folgende Bankdaten werden nach Ihrem Submit abgespeichert:</p>
            </div>
            <div class="col-md-3">
                <p>Ihre eingegebenen Daten:</p>
            </div>
            <div class="col-md-3">
                <?=
                $form->field($model, 'laenderkennung', ['addon' => [
                        'prepend' => ['content' => 'Länderkennung']]])->textInput(['maxlength' => true, 'value' => $laenderkennung, 'readOnly' => true])
                ?>
            </div>
            <div class="col-md-3">
                <?=
                $form->field($model, 'kontonummer', ['addon' => [
                        'prepend' => ['content' => 'Kontonummer']]])->textInput(['maxlength' => true, 'value' => $kontonummer, 'readOnly' => true])
                ?>
            </div>
            <div class="col-md-3">
                <?=
                $form->field($model, 'blz', ['addon' => [
                        'prepend' => ['content' => 'Bankleitzahl']]])->textInput(['maxlength' => true, 'value' => $blz, 'readOnly' => true])
                ?>
            </div>
            <div class="col-md-12">
                <p>Die ermittelten Webservicedaten:</p>
            </div>
            <div class="col-md-4">
                <?=
                $form->field($model, 'institut', ['addon' => [
                        'prepend' => ['content' => 'Bankinstitut']]])->textInput(['maxlength' => true, 'value' => $institut, 'readOnly' => true])
                ?>
            </div>  
            <div class="col-md-4">
                <?=
                $form->field($model, 'bic', ['addon' => [
                        'prepend' => ['content' => 'BIC']]])->textInput(['maxlength' => true, 'value' => $bic, 'readOnly' => true])
                ?>
            </div>         
            <div class="col-md-4">
                <?=
                $form->field($model, 'iban', ['addon' => [
                        'prepend' => ['content' => 'IBAN']]])->textInput(['maxlength' => true, 'value' => $iban, 'readOnly' => true])
                ?>             
            </div> 
            <div class="col-md-12">
                <p>KundenId: <?= $id ?></p>
            </div> 
        </div>
    </div>
</div>
<div class="form-group">              
    <?= Html::submitButton(Yii::t('app', 'Weiter'), ['class' => 'btn btn-info']) ?>
    <?= Html::a(Yii::t('app', 'Cancel'), ['/site/index'], ['class' => 'btn btn-danger']) ?>
</div>
<?php ActiveForm::end(); ?>

softark · March 30, 2019, 12:11am

public function actionConclusion($id, $laenderkennung, $kontonummer, $blz, $institut, $bic, $iban) {
    $model = new Bankverbindung();
    $modelKunde = $this->findModelKunde($id);
    if (Yii::$app->request->post()) {
        $model->laenderkennung = $laenderkennung;
        $model->institut = $institut;
        $model->blz = $blz;
        $model->kontoNr = $kontonummer;
        $model->iban = $iban;
        $model->bic = $bic;
        $model->kunde_id = $id;
        ...
        $model->save();

This is very dangerous.

A malicious user can easily exploit this action by supplying arbitrary parameters ($id, $laenderkennung, $kontonummer, $blz, $institut, $bic, $iban) manually.

http://my.site.com/conclusion?id=1&laenderkennung=2&...

You should not pass those critical parameters using GET. Consider using hidden inputs instead.

tklustig · March 30, 2019, 3:09pm

Yuup. U are right. How can I hidden $_GET parameters with yii2?
Following statement will not solve problem of exploiting. It just will hidden value of property, but this is not my intention…

 $form->field($model, 'blz', ['addon' => [
                        'prepend' => ['content' => 'Bankleitzahl']]])->->hiddenInput(['maxlength' => true, 'value' => $blz, 'readOnly' => true])

softark · March 31, 2019, 10:28am

I guess “actionConclusion” is a kind of “the last moment confirmation page”. You are showing it after “actionCreate” or “actionUpdate” (or something like that) has gathered and validated a set of user input. Am I right?

Probably something like the following:

if ($model->validate()) {
    // $model->save();    // don't save here
    $this->redirect(['conclusion'],
        'id' => $model->kunde_id,
        'laenderkennung ' => $model->laenderkennung ,
        'blz' => $model->blz,
        ...
    ]);
}

But this will inevitably requires an action that uses GET parameters. And the parameters passed by GET should not be used for creating/updating data because it’s very easy to exploit.

I would pass the parameters using session.

if ($model->validate()) {
    // $model->save();    // don't save here
    $session = Yii::$app->session;
    $session['kunst_d'] = $model->kunst_id;
    $session['laenderkennung '] = $model->laenderkennung;
    $session['blz'] = $model->blz;
    ...
    $this->redirect(['conclusion']);
}

And in “actionConclusion” :

public function actionConclusion() 
{
    $model = new Bankverbindung();
    $session = Yii::$app->session;
    $model->kunst_id = $session['kunst_d'];
    $model->laenderkennung = $session['laenderkennung ';
    $model->blz = $session['blz'];
    ...
    if (Yii::$app->request->isPost) {
        $model->save();
        ...
        $this->redirect(['/bankverbindung/index']);
    } else {
        return $this->render('_form_conclusion', ['model' => $model]);
    }
}

I recommended you to use hidden inputs, but, well, it’s not necessary because the model is constructed by the values in the session.

tklustig · March 31, 2019, 1:02pm

Yuup. U are right!
I already apply parameters using sessions, for instance, if to send them via redirect, which doesn’t accept arrays.
In the present case, I am not able to use sessions, 'cause they will be destroyed

$sessionPHP = Yii::$app->session;
if (!empty($header)) {
    $this->title = Yii::t('app', $header);
    $sessionPHP->open();
    $sessionPHP['header'] = $header;
    $sessionPHP->close();
} else {
    $this->title = Yii::t('app', 'Alle Besichtigungstermine anzeigen');
    $sessionPHP->destroy();
}

softark · March 31, 2019, 10:15pm

You don’t need to destroy the session as a whole. You can just remove a certain variable.

$sessionPHP->remove('header');

https://www.yiiframework.com/doc/api/2.0/yii-web-session#remove()-detail

tklustig · April 1, 2019, 4:12pm

Oh ,okay. Didn’t know remove()in this context. So, I will use $sessionPHP in order to avoid exploiting my application.
This thread can be closed as succesfully solved!