可以在控制器里局部禁用 public $enableCsrfValidation = false ->覆盖父类的属性 也可以在配置文件中全局禁用 ‘components‘ => [ ‘request‘ => [ /** /*!!! insert a secret key in the following (if it is empty) - this is required by /*cookie validation /** ‘cookieValidationKey‘ => ‘83r5HbITBiMfmiYPOZFdL-raVp4O1VV4‘, ‘enableCookieValidation‘ => false, ‘enableCsrfValidation‘ => false, ]
\yii\widgets\ActiveForm 这个类里面有一个run方法 /** * Runs the widget. * This registers the necessary javascript code and renders the form close tag. * @throws InvalidCallException if `beginField()` and `endField()` calls are not matching */ public function run() { if (!empty($this->_fields)) { throw new InvalidCallException(‘Each beginField() should have a matching endField() call.‘); } $content = ob_get_clean(); echo Html::beginForm($this->action, $this->method, $this->options); echo $content; if ($this->enableClientScript) { $id = $this->options[‘id‘]; $options = Json::htmlEncode($this->getClientOptions()); $attributes = Json::htmlEncode($this->attributes); $view = $this->getView(); ActiveFormAsset::register($view); $view->registerJs("jQuery(‘#$id‘).yiiActiveForm($attributes, $options);"); } echo Html::endForm(); } 可以看到 echo Html::beginForm($this->action, $this->method, $this->options);这样一句。 在Html::beginForm()这个方法里面 if ($csrf && $request->enableCsrfValidation && strcasecmp($method, ‘post‘) === 0) { $hiddenInputs[] = static::hiddenInput($request->csrfParam, $request->getCsrfToken()); } 这样一段代码就是在表单写入了一个hide input加入了_csrf 如果不是用的ActiveForm则需要手动加入: <input type="hidden" name="<?php echo Yii::$app->request->csrfParam;?>" value="<?php echo Yii::$app->request->getCsrfToken();?>">
如果是ajax post则要在data后面也带上这个参数
YII2.0 标准写法
<?php $this->beginPage() ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"/> <?= Html::csrfMetaTags() ?> <title><?= Html::encode($this->title) ?></title> <?php $this->head() ?> </head> 表单 <?php $form = ActiveForm::begin([‘id‘ => ‘login-form‘]); ?> <?php ActiveForm::end(); ?>
本文出自 “PHP学习” 博客,请务必保留此出处