• Название:

    Symfony book 2.3

  • Размер: 2.62 Мб
  • Формат: PDF
  • или
  • Название: The Book

The Book
for Symfony 2.3
generated on October 9, 2014

The Book (2.3)
This work is licensed under the “Attribution-Share Alike 3.0 Unported” license (http://creativecommons.org/
licenses/by-sa/3.0/).
You are free to share (to copy, distribute and transmit the work), and to remix (to adapt the work) under the
following conditions:
• Attribution: You must attribute the work in the manner specified by the author or licensor (but
not in any way that suggests that they endorse you or your use of the work).
• Share Alike: If you alter, transform, or build upon this work, you may distribute the resulting work
only under the same, similar or a compatible license. For any reuse or distribution, you must make
clear to others the license terms of this work.
The information in this book is distributed on an “as is” basis, without warranty. Although every precaution
has been taken in the preparation of this work, neither the author(s) nor SensioLabs shall have any liability to
any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by
the information contained in this work.
If you find typos or errors, feel free to report them by creating a ticket on the Symfony ticketing system
(http://github.com/symfony/symfony-docs/issues). Based on tickets and users feedback, this book is
continuously updated.

Contents at a Glance
Symfony and HTTP Fundamentals ......................................................................................................4
Symfony versus Flat PHP...................................................................................................................14
Installing and Configuring Symfony...................................................................................................27
Creating Pages in Symfony ................................................................................................................34
Controller.........................................................................................................................................48
Routing ............................................................................................................................................60
Creating and Using Templates...........................................................................................................73
Databases and Doctrine ....................................................................................................................92
Databases and Propel ...................................................................................................................... 113
Testing ........................................................................................................................................... 122
Validation....................................................................................................................................... 137
Forms ............................................................................................................................................. 148
Security .......................................................................................................................................... 174
HTTP Cache................................................................................................................................... 198
Translations.................................................................................................................................... 214
Service Container ............................................................................................................................ 223
Performance ................................................................................................................................... 234
Internals ......................................................................................................................................... 237
The Symfony Stable API .................................................................................................................. 246

PDF brought to you by
generated on October 9, 2014

Contents at a Glance | iii

Chapter 1

Symfony and HTTP Fundamentals
Congratulations! By learning about Symfony, you're well on your way towards being a more productive,
well-rounded and popular web developer (actually, you're on your own for the last part). Symfony is built
to get back to basics: to develop tools that let you develop faster and build more robust applications,
while staying out of your way. Symfony is built on the best ideas from many technologies: the tools and
concepts you're about to learn represent the efforts of thousands of people, over many years. In other
words, you're not just learning "Symfony", you're learning the fundamentals of the web, development
best practices, and how to use many amazing new PHP libraries, inside or independently of Symfony. So,
get ready.
True to the Symfony philosophy, this chapter begins by explaining the fundamental concept common
to web development: HTTP. Regardless of your background or preferred programming language, this
chapter is a must-read for everyone.

HTTP is Simple
HTTP (Hypertext Transfer Protocol to the geeks) is a text language that allows two machines to
communicate with each other. That's it! For example, when checking for the latest xkcd1 comic, the
following (approximate) conversation takes place:

1. http://xkcd.com/

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 4

And while the actual language used is a bit more formal, it's still dead-simple. HTTP is the term used to
describe this simple text-based language. And no matter how you develop on the web, the goal of your
server is always to understand simple text requests, and return simple text responses.
Symfony is built from the ground-up around that reality. Whether you realize it or not, HTTP is
something you use everyday. With Symfony, you'll learn how to master it.

Step1: The Client Sends a Request
Every conversation on the web starts with a request. The request is a text message created by a client (e.g.
a browser, an iPhone app, etc) in a special format known as HTTP. The client sends that request to a
server, and then waits for the response.
Take a look at the first part of the interaction (the request) between a browser and the xkcd web server:

In HTTP-speak, this HTTP request would actually look something like this:
Listing 1-1

1
2
3
4

GET / HTTP/1.1
Host: xkcd.com
Accept: text/html
User-Agent: Mozilla/5.0 (Macintosh)

This simple message communicates everything necessary about exactly which resource the client is
requesting. The first line of an HTTP request is the most important and contains two things: the URI and
the HTTP method.
The URI (e.g. /, /contact, etc) is the unique address or location that identifies the resource the client
wants. The HTTP method (e.g. GET) defines what you want to do with the resource. The HTTP methods
are the verbs of the request and define the few common ways that you can act upon the resource:
PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 5

GET

Retrieve the resource from the server

POST

Create a resource on the server

PUT

Update the resource on the server

DELETE Delete the resource from the server
With this in mind, you can imagine what an HTTP request might look like to delete a specific blog entry,
for example:
Listing 1-2

1 DELETE /blog/15 HTTP/1.1

There are actually nine HTTP methods defined by the HTTP specification, but many of them are
not widely used or supported. In reality, many modern browsers don't support the PUT and DELETE
methods.

In addition to the first line, an HTTP request invariably contains other lines of information called request
headers. The headers can supply a wide range of information such as the requested Host, the response
formats the client accepts (Accept) and the application the client is using to make the request (UserAgent). Many other headers exist and can be found on Wikipedia's List of HTTP header fields2 article.

Step 2: The Server Returns a Response
Once a server has received the request, it knows exactly which resource the client needs (via the URI)
and what the client wants to do with that resource (via the method). For example, in the case of a GET
request, the server prepares the resource and returns it in an HTTP response. Consider the response from
the xkcd web server:

Translated into HTTP, the response sent back to the browser will look something like this:
Listing 1-3

1
2
3
4
5
6

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 21:05:05 GMT
Server: lighttpd/1.4.19
Content-Type: text/html
<html>

2. http://en.wikipedia.org/wiki/List_of_HTTP_header_fields

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 6

7
<!-- ... HTML for the xkcd comic -->
8 </html>

The HTTP response contains the requested resource (the HTML content in this case), as well as other
information about the response. The first line is especially important and contains the HTTP response
status code (200 in this case). The status code communicates the overall outcome of the request back
to the client. Was the request successful? Was there an error? Different status codes exist that indicate
success, an error, or that the client needs to do something (e.g. redirect to another page). A full list can
be found on Wikipedia's List of HTTP status codes3 article.
Like the request, an HTTP response contains additional pieces of information known as HTTP headers.
For example, one important HTTP response header is Content-Type. The body of the same resource
could be returned in multiple different formats like HTML, XML, or JSON and the Content-Type header
uses Internet Media Types like text/html to tell the client which format is being returned. A list of
common media types can be found on Wikipedia's List of common media types4 article.
Many other headers exist, some of which are very powerful. For example, certain headers can be used to
create a powerful caching system.

Requests, Responses and Web Development
This request-response conversation is the fundamental process that drives all communication on the web.
And as important and powerful as this process is, it's inescapably simple.
The most important fact is this: regardless of the language you use, the type of application you build
(web, mobile, JSON API), or the development philosophy you follow, the end goal of an application is
always to understand each request and create and return the appropriate response.
Symfony is architected to match this reality.
To learn more about the HTTP specification, read the original HTTP 1.1 RFC5 or the HTTP Bis6,
which is an active effort to clarify the original specification. A great tool to check both the request
and response headers while browsing is the Live HTTP Headers7 extension for Firefox.

Requests and Responses in PHP
So how do you interact with the "request" and create a "response" when using PHP? In reality, PHP
abstracts you a bit from the whole process:
Listing 1-4

1
2
3
4
5
6

$uri = $_SERVER['REQUEST_URI'];
$foo = $_GET['foo'];
header('Content-type: text/html');
echo 'The URI requested is: '.$uri;
echo 'The value of the "foo" parameter is: '.$foo;

As strange as it sounds, this small application is in fact taking information from the HTTP request and
using it to create an HTTP response. Instead of parsing the raw HTTP request message, PHP prepares
superglobal variables such as $_SERVER and $_GET that contain all the information from the request.
3. http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
4.
5.
6.
7.

http://en.wikipedia.org/wiki/Internet_media_type#List_of_common_media_types
http://www.w3.org/Protocols/rfc2616/rfc2616.html
http://datatracker.ietf.org/wg/httpbis/
https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 7

Similarly, instead of returning the HTTP-formatted text response, you can use the header() function to
create response headers and simply print out the actual content that will be the content portion of the
response message. PHP will create a true HTTP response and return it to the client:
Listing 1-5

1
2
3
4
5
6
7

HTTP/1.1 200 OK
Date: Sat, 03 Apr 2011 02:14:33 GMT
Server: Apache/2.2.17 (Unix)
Content-Type: text/html
The URI requested is: /testing?foo=symfony
The value of the "foo" parameter is: symfony

Requests and Responses in Symfony
Symfony provides an alternative to the raw PHP approach via two classes that allow you to interact
with the HTTP request and response in an easier way. The Request8 class is a simple object-oriented
representation of the HTTP request message. With it, you have all the request information at your
fingertips:
Listing 1-6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

use Symfony\Component\HttpFoundation\Request;
$request = Request::createFromGlobals();

// the URI being requested (e.g. /about) minus any query parameters
$request->getPathInfo();
// retrieve GET and POST variables respectively
$request->query->get('foo');
$request->request->get('bar', 'default value if bar does not exist');
// retrieve SERVER variables
$request->server->get('HTTP_HOST');
// retrieves an instance of UploadedFile identified by foo
$request->files->get('foo');
// retrieve a COOKIE value
$request->cookies->get('PHPSESSID');
// retrieve an HTTP request header, with normalized, lowercase keys
$request->headers->get('host');
$request->headers->get('content_type');
$request->getMethod();
$request->getLanguages();

// GET, POST, PUT, DELETE, HEAD
// an array of languages the client accepts

As a bonus, the Request class does a lot of work in the background that you'll never need to worry about.
For example, the isSecure() method checks the three different values in PHP that can indicate whether
or not the user is connecting via a secured connection (i.e. HTTPS).

8. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Request.html

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 8

ParameterBags and Request Attributes
As seen above, the $_GET and $_POST variables are accessible via the public query and request
properties respectively. Each of these objects is a ParameterBag9 object, which has methods like
get()10, has()11, all()12 and more. In fact, every public property used in the previous example is
some instance of the ParameterBag.
The Request class also has a public attributes property, which holds special data related to how
the application works internally. For the Symfony framework, the attributes holds the values
returned by the matched route, like _controller, id (if you have an {id} wildcard), and even the
name of the matched route (_route). The attributes property exists entirely to be a place where
you can prepare and store context-specific information about the request.

Symfony also provides a Response class: a simple PHP representation of an HTTP response message.
This allows your application to use an object-oriented interface to construct the response that needs to
be returned to the client:
Listing 1-7

1
2
3
4
5
6
7
8
9

use Symfony\Component\HttpFoundation\Response;
$response = new Response();
$response->setContent('<html><body><h1>Hello world!</h1></body></html>');
$response->setStatusCode(200);
$response->headers->set('Content-Type', 'text/html');

// prints the HTTP headers followed by the content
$response->send();

If Symfony offered nothing else, you would already have a toolkit for easily accessing request information
and an object-oriented interface for creating the response. Even as you learn the many powerful features
in Symfony, keep in mind that the goal of your application is always to interpret a request and create the
appropriate response based on your application logic.
The Request and Response classes are part of a standalone component included with Symfony
called HttpFoundation. This component can be used entirely independently of Symfony and also
provides classes for handling sessions and file uploads.

The Journey from the Request to the Response
Like HTTP itself, the Request and Response objects are pretty simple. The hard part of building an
application is writing what comes in between. In other words, the real work comes in writing the code
that interprets the request information and creates the response.
Your application probably does many things, like sending emails, handling form submissions, saving
things to a database, rendering HTML pages and protecting content with security. How can you manage
all of this and still keep your code organized and maintainable?
Symfony was created to solve these problems so that you don't have to.

9.
10.
11.
12.

http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/ParameterBag.html
http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/ParameterBag.html#get()
http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/ParameterBag.html#has()
http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/ParameterBag.html#all()

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 9

The Front Controller
Traditionally, applications were built so that each "page" of a site was its own physical file:
Listing 1-8

1 index.php
2 contact.php
3 blog.php

There are several problems with this approach, including the inflexibility of the URLs (what if you
wanted to change blog.php to news.php without breaking all of your links?) and the fact that each file
must manually include some set of core files so that security, database connections and the "look" of the
site can remain consistent.
A much better solution is to use a front controller: a single PHP file that handles every request coming
into your application. For example:
/index.php

executes index.php

/index.php/contact executes index.php
/index.php/blog

executes index.php

Using Apache's mod_rewrite (or equivalent with other web servers), the URLs can easily be
cleaned up to be just /, /contact and /blog.

Now, every request is handled exactly the same way. Instead of individual URLs executing different PHP
files, the front controller is always executed, and the routing of different URLs to different parts of your
application is done internally. This solves both problems with the original approach. Almost all modern
web apps do this - including apps like WordPress.

Stay Organized
Inside your front controller, you have to figure out which code should be executed and what the content
to return should be. To figure this out, you'll need to check the incoming URI and execute different parts
of your code depending on that value. This can get ugly quickly:
Listing 1-9

1
2
3
4
5
6
7
8
9
10
11
12
13
14

// index.php
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
$request = Request::createFromGlobals();
$path = $request->getPathInfo(); // the URI path being requested
if (in_array($path, array('', '/'))) {
$response = new Response('Welcome to the homepage.');
} elseif ($path == '/contact') {
$response = new Response('Contact us');
} else {
$response = new Response('Page not found.', 404);
}
$response->send();

Solving this problem can be difficult. Fortunately it's exactly what Symfony is designed to do.

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 10

The Symfony Application Flow
When you let Symfony handle each request, life is much easier. Symfony follows the same simple pattern
for every request:

Incoming requests are interpreted by the routing and passed to controller functions that return Response
objects.
Each "page" of your site is defined in a routing configuration file that maps different URLs to different
PHP functions. The job of each PHP function, called a controller, is to use information from the request along with many other tools Symfony makes available - to create and return a Response object. In other
words, the controller is where your code goes: it's where you interpret the request and create a response.
It's that easy! To review:
• Each request executes a front controller file;
• The routing system determines which PHP function should be executed based on information
from the request and routing configuration you've created;
• The correct PHP function is executed, where your code creates and returns the appropriate
Response object.

A Symfony Request in Action
Without diving into too much detail, here is this process in action. Suppose you want to add a /contact
page to your Symfony application. First, start by adding an entry for /contact to your routing
configuration file:
Listing 1-10

1 # app/config/routing.yml
2 contact:
3
path:
/contact
4
defaults: { _controller: AcmeDemoBundle:Main:contact }

This example uses YAML to define the routing configuration. Routing configuration can also be
written in other formats such as XML or PHP.

When someone visits the /contact page, this route is matched, and the specified controller is executed.
As you'll learn in the routing chapter, the AcmeDemoBundle:Main:contact string is a short syntax that
points to a specific PHP method contactAction inside a class called MainController:
Listing 1-11

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 11

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/DemoBundle/Controller/MainController.php
namespace Acme\DemoBundle\Controller;
use Symfony\Component\HttpFoundation\Response;
class MainController
{
public function contactAction()
{
return new Response('<h1>Contact us!</h1>');
}
}

In this very simple example, the controller simply creates a Response13 object with the HTML
<h1>Contact us!</h1>. In the controller chapter, you'll learn how a controller can render templates,
allowing your "presentation" code (i.e. anything that actually writes out HTML) to live in a separate
template file. This frees up the controller to worry only about the hard stuff: interacting with the
database, handling submitted data, or sending email messages.

Symfony: Build your App, not your Tools.
You now know that the goal of any app is to interpret each incoming request and create an appropriate
response. As an application grows, it becomes more difficult to keep your code organized and
maintainable. Invariably, the same complex tasks keep coming up over and over again: persisting things
to the database, rendering and reusing templates, handling form submissions, sending emails, validating
user input and handling security.
The good news is that none of these problems is unique. Symfony provides a framework full of tools that
allow you to build your application, not your tools. With Symfony, nothing is imposed on you: you're
free to use the full Symfony framework, or just one piece of Symfony all by itself.

Standalone Tools: The Symfony Components
So what is Symfony? First, Symfony is a collection of over twenty independent libraries that can be used
inside any PHP project. These libraries, called the Symfony Components, contain something useful for
almost any situation, regardless of how your project is developed. To name a few:
• HttpFoundation - Contains the Request and Response classes, as well as other classes for
handling sessions and file uploads;
• Routing - Powerful and fast routing system that allows you to map a specific URI (e.g.
/contact) to some information about how that request should be handled (e.g. execute the
contactAction() method);
• Form14 - A full-featured and flexible framework for creating forms and handling form
submissions;
• Validator15 - A system for creating rules about data and then validating whether or not usersubmitted data follows those rules;
• ClassLoader - An autoloading library that allows PHP classes to be used without needing to
manually require the files containing those classes;
• Templating - A toolkit for rendering templates, handling template inheritance (i.e. a template
is decorated with a layout) and performing other common template tasks;
• Security16 - A powerful library for handling all types of security inside an application;
13. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html
14. https://github.com/symfony/Form
15. https://github.com/symfony/Validator

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 12

• Translation17 - A framework for translating strings in your application.
Each and every one of these components is decoupled and can be used in any PHP project, regardless of
whether or not you use the Symfony framework. Every part is made to be used if needed and replaced
when necessary.

The Full Solution: The Symfony Framework
So then, what is the Symfony Framework? The Symfony Framework is a PHP library that accomplishes
two distinct tasks:
1. Provides a selection of components (i.e. the Symfony Components) and third-party libraries
(e.g. Swift Mailer18 for sending emails);
2. Provides sensible configuration and a "glue" library that ties all of these pieces together.
The goal of the framework is to integrate many independent tools in order to provide a consistent
experience for the developer. Even the framework itself is a Symfony bundle (i.e. a plugin) that can be
configured or replaced entirely.
Symfony provides a powerful set of tools for rapidly developing web applications without imposing on
your application. Normal users can quickly start development by using a Symfony distribution, which
provides a project skeleton with sensible defaults. For more advanced users, the sky is the limit.

16. https://github.com/symfony/Security
17. https://github.com/symfony/Translation
18. http://swiftmailer.org/

PDF brought to you by
generated on October 9, 2014

Chapter 1: Symfony and HTTP Fundamentals | 13

Chapter 2

Symfony versus Flat PHP
Why is Symfony better than just opening up a file and writing flat PHP?
If you've never used a PHP framework, aren't familiar with the MVC philosophy, or just wonder what
all the hype is around Symfony, this chapter is for you. Instead of telling you that Symfony allows you to
develop faster and better software than with flat PHP, you'll see for yourself.
In this chapter, you'll write a simple application in flat PHP, and then refactor it to be more organized.
You'll travel through time, seeing the decisions behind why web development has evolved over the past
several years to where it is now.
By the end, you'll see how Symfony can rescue you from mundane tasks and let you take back control of
your code.

A Simple Blog in Flat PHP
In this chapter, you'll build the token blog application using only flat PHP. To begin, create a single page
that displays blog entries that have been persisted to the database. Writing in flat PHP is quick and dirty:
Listing 2-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

<?php
// index.php
$link = mysql_connect('localhost', 'myuser', 'mypassword');
mysql_select_db('blog_db', $link);
$result = mysql_query('SELECT id, title FROM post', $link);
?>
<!DOCTYPE html>
<html>
<head>
<title>List of Posts</title>
</head>
<body>
<h1>List of Posts</h1>
<ul>
<?php while ($row = mysql_fetch_assoc($result)): ?>

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 14

18
19
20
21
22
23
24
25
26
27
28
29
30

<li>
<a href="/show.php?id=<?php echo $row['id'] ?>">
<?php echo $row['title'] ?>
</a>
</li>
<?php endwhile; ?>
</ul>
</body>
</html>
<?php
mysql_close($link);
?>

That's quick to write, fast to execute, and, as your app grows, impossible to maintain. There are several
problems that need to be addressed:
• No error-checking: What if the connection to the database fails?
• Poor organization: If the application grows, this single file will become increasingly
unmaintainable. Where should you put code to handle a form submission? How can you
validate data? Where should code go for sending emails?
• Difficult to reuse code: Since everything is in one file, there's no way to reuse any part of the
application for other "pages" of the blog.
Another problem not mentioned here is the fact that the database is tied to MySQL. Though not
covered here, Symfony fully integrates Doctrine1, a library dedicated to database abstraction and
mapping.

Isolating the Presentation
The code can immediately gain from separating the application "logic" from the code that prepares the
HTML "presentation":
Listing 2-2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<?php
// index.php
$link = mysql_connect('localhost', 'myuser', 'mypassword');
mysql_select_db('blog_db', $link);
$result = mysql_query('SELECT id, title FROM post', $link);
$posts = array();
while ($row = mysql_fetch_assoc($result)) {
$posts[] = $row;
}
mysql_close($link);

// include the HTML presentation code
require 'templates/list.php';

The HTML code is now stored in a separate file (templates/list.php), which is primarily an HTML file
that uses a template-like PHP syntax:
Listing 2-3

1. http://www.doctrine-project.org

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 15

1 <!DOCTYPE html>
2 <html>
3
<head>
4
<title>List of Posts</title>
5
</head>
6
<body>
7
<h1>List of Posts</h1>
8
<ul>
9
<?php foreach ($posts as $post): ?>
10
<li>
11
<a href="/read?id=<?php echo $post['id'] ?>">
12
<?php echo $post['title'] ?>
13
</a>
14
</li>
15
<?php endforeach; ?>
16
</ul>
17
</body>
18 </html>

By convention, the file that contains all of the application logic - index.php - is known as a "controller".
The term controller is a word you'll hear a lot, regardless of the language or framework you use. It refers
simply to the area of your code that processes user input and prepares the response.
In this case, the controller prepares data from the database and then includes a template to present that
data. With the controller isolated, you could easily change just the template file if you needed to render
the blog entries in some other format (e.g. list.json.php for JSON format).

Isolating the Application (Domain) Logic
So far the application contains only one page. But what if a second page needed to use the same database
connection, or even the same array of blog posts? Refactor the code so that the core behavior and dataaccess functions of the application are isolated in a new file called model.php:
Listing 2-4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

<?php
// model.php
function open_database_connection()
{
$link = mysql_connect('localhost', 'myuser', 'mypassword');
mysql_select_db('blog_db', $link);
return $link;
}
function close_database_connection($link)
{
mysql_close($link);
}
function get_all_posts()
{
$link = open_database_connection();
$result = mysql_query('SELECT id, title FROM post', $link);
$posts = array();
while ($row = mysql_fetch_assoc($result)) {
$posts[] = $row;
}

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 16

25
26
27
28 }

close_database_connection($link);
return $posts;

The filename model.php is used because the logic and data access of an application is traditionally
known as the "model" layer. In a well-organized application, the majority of the code representing
your "business logic" should live in the model (as opposed to living in a controller). And unlike in
this example, only a portion (or none) of the model is actually concerned with accessing a database.

The controller (index.php) is now very simple:
Listing 2-5

1
2
3
4
5
6

<?php
require_once 'model.php';
$posts = get_all_posts();
require 'templates/list.php';

Now, the sole task of the controller is to get data from the model layer of the application (the model) and
to call a template to render that data. This is a very simple example of the model-view-controller pattern.

Isolating the Layout
At this point, the application has been refactored into three distinct pieces offering various advantages
and the opportunity to reuse almost everything on different pages.
The only part of the code that can't be reused is the page layout. Fix that by creating a new layout.php
file:
Listing 2-6

1
2
3
4
5
6
7
8
9
10

<!-- templates/layout.php -->
<!DOCTYPE html>
<html>
<head>
<title><?php echo $title ?></title>
</head>
<body>
<?php echo $content ?>
</body>
</html>

The template (templates/list.php) can now be simplified to "extend" the layout:
Listing 2-7

1 <?php $title = 'List of Posts' ?>
2
3 <?php ob_start() ?>
4
<h1>List of Posts</h1>
5
<ul>
6
<?php foreach ($posts as $post): ?>
7
<li>
8
<a href="/read?id=<?php echo $post['id'] ?>">
9
<?php echo $post['title'] ?>
10
</a>
11
</li>

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 17

12
<?php endforeach; ?>
13
</ul>
14 <?php $content = ob_get_clean() ?>
15
16 <?php include 'layout.php' ?>

You've now introduced a methodology that allows for the reuse of the layout. Unfortunately, to
accomplish this, you're forced to use a few ugly PHP functions (ob_start(), ob_get_clean()) in the
template. Symfony uses a Templating component that allows this to be accomplished cleanly and easily.
You'll see it in action shortly.

Adding a Blog "show" Page
The blog "list" page has now been refactored so that the code is better-organized and reusable. To prove
it, add a blog "show" page, which displays an individual blog post identified by an id query parameter.
To begin, create a new function in the model.php file that retrieves an individual blog result based on a
given id:
Listing 2-8

1
2
3
4
5
6
7
8
9
10
11
12
13
14

// model.php
function get_post_by_id($id)
{
$link = open_database_connection();
$id = intval($id);
$query = 'SELECT date, title, body FROM post WHERE id = '.$id;
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);
close_database_connection($link);
return $row;
}

Next, create a new file called show.php - the controller for this new page:
Listing 2-9

1
2
3
4
5
6

<?php
require_once 'model.php';
$post = get_post_by_id($_GET['id']);
require 'templates/show.php';

Finally, create the new template file - templates/show.php - to render the individual blog post:
Listing 2-10

1 <?php $title = $post['title'] ?>
2
3 <?php ob_start() ?>
4
<h1><?php echo $post['title'] ?></h1>
5
6
<div class="date"><?php echo $post['date'] ?></div>
7
<div class="body">
8
<?php echo $post['body'] ?>
9
</div>
10 <?php $content = ob_get_clean() ?>

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 18

11
12 <?php include 'layout.php' ?>

Creating the second page is now very easy and no code is duplicated. Still, this page introduces even
more lingering problems that a framework can solve for you. For example, a missing or invalid id query
parameter will cause the page to crash. It would be better if this caused a 404 page to be rendered, but
this can't really be done easily yet. Worse, had you forgotten to clean the id parameter via the intval()
function, your entire database would be at risk for an SQL injection attack.
Another major problem is that each individual controller file must include the model.php file. What if
each controller file suddenly needed to include an additional file or perform some other global task (e.g.
enforce security)? As it stands now, that code would need to be added to every controller file. If you forget
to include something in one file, hopefully it doesn't relate to security...

A "Front Controller" to the Rescue
The solution is to use a front controller: a single PHP file through which all requests are processed. With
a front controller, the URIs for the application change slightly, but start to become more flexible:
Listing 2-11

1
2
3
4
5
6
7

Without a front controller
/index.php
=> Blog post list page (index.php executed)
/show.php
=> Blog post show page (show.php executed)
With index.php as the front controller
/index.php
=> Blog post list page (index.php executed)
/index.php/show
=> Blog post show page (index.php executed)

The index.php portion of the URI can be removed if using Apache rewrite rules (or equivalent). In
that case, the resulting URI of the blog show page would be simply /show.

When using a front controller, a single PHP file (index.php in this case) renders every request. For
the blog post show page, /index.php/show will actually execute the index.php file, which is now
responsible for routing requests internally based on the full URI. As you'll see, a front controller is a very
powerful tool.

Creating the Front Controller
You're about to take a big step with the application. With one file handling all requests, you can
centralize things such as security handling, configuration loading, and routing. In this application,
index.php must now be smart enough to render the blog post list page or the blog post show page based
on the requested URI:
Listing 2-12

1
2
3
4
5
6
7
8
9

<?php
// index.php

// load and initialize any global libraries
require_once 'model.php';
require_once 'controllers.php';
// route the request internally
$uri = $_SERVER['REQUEST_URI'];

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 19

10
11
12
13
14
15
16
17

if ('/index.php' == $uri) {
list_action();
} elseif ('/index.php/show' == $uri && isset($_GET['id'])) {
show_action($_GET['id']);
} else {
header('Status: 404 Not Found');
echo '<html><body><h1>Page Not Found</h1></body></html>';
}

For organization, both controllers (formerly index.php and show.php) are now PHP functions and each
has been moved into a separate file, controllers.php:
Listing 2-13

1
2
3
4
5
6
7
8
9
10
11

function list_action()
{
$posts = get_all_posts();
require 'templates/list.php';
}
function show_action($id)
{
$post = get_post_by_id($id);
require 'templates/show.php';
}

As a front controller, index.php has taken on an entirely new role, one that includes loading the
core libraries and routing the application so that one of the two controllers (the list_action() and
show_action() functions) is called. In reality, the front controller is beginning to look and act a lot like
Symfony's mechanism for handling and routing requests.
Another advantage of a front controller is flexible URLs. Notice that the URL to the blog post show
page could be changed from /show to /read by changing code in only one location. Before, an
entire file needed to be renamed. In Symfony, URLs are even more flexible.

By now, the application has evolved from a single PHP file into a structure that is organized and allows
for code reuse. You should be happier, but far from satisfied. For example, the "routing" system is
fickle, and wouldn't recognize that the list page (/index.php) should be accessible also via / (if Apache
rewrite rules were added). Also, instead of developing the blog, a lot of time is being spent working on
the "architecture" of the code (e.g. routing, calling controllers, templates, etc.). More time will need to
be spent to handle form submissions, input validation, logging and security. Why should you have to
reinvent solutions to all these routine problems?

Add a Touch of Symfony
Symfony to the rescue. Before actually using Symfony, you need to download it. This can be done by
using Composer, which takes care of downloading the correct version and all its dependencies and
provides an autoloader. An autoloader is a tool that makes it possible to start using PHP classes without
explicitly including the file containing the class.
In your root directory, create a composer.json file with the following content:
Listing 2-14

1 {
2
3
4

"require": {
"symfony/symfony": "2.3.*"
},

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 20

5
6
7
8 }

"autoload": {
"files": ["model.php","controllers.php"]
}

Next, download Composer2 and then run the following command, which will download Symfony into a
vendor/ directory:
Listing 2-15

1 $ php composer.phar install

Beside downloading your dependencies, Composer generates a vendor/autoload.php file, which takes
care of autoloading for all the files in the Symfony Framework as well as the files mentioned in the
autoload section of your composer.json.
Core to Symfony's philosophy is the idea that an application's main job is to interpret each request and
return a response. To this end, Symfony provides both a Request3 and a Response4 class. These classes
are object-oriented representations of the raw HTTP request being processed and the HTTP response
being returned. Use them to improve the blog:
Listing 2-16

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

<?php
// index.php
require_once 'vendor/autoload.php';
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
$request = Request::createFromGlobals();
$uri = $request->getPathInfo();
if ('/' == $uri) {
$response = list_action();
} elseif ('/show' == $uri && $request->query->has('id')) {
$response = show_action($request->query->get('id'));
} else {
$html = '<html><body><h1>Page Not Found</h1></body></html>';
$response = new Response($html, 404);
}

// echo the headers and send the response
$response->send();

The controllers are now responsible for returning a Response object. To make this easier, you can add
a new render_template() function, which, incidentally, acts quite a bit like the Symfony templating
engine:
Listing 2-17

1
2
3
4
5
6
7

// controllers.php
use Symfony\Component\HttpFoundation\Response;
function list_action()
{
$posts = get_all_posts();
$html = render_template('templates/list.php', array('posts' => $posts));

2. http://getcomposer.org/download/
3. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Request.html
4. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 21

8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

return new Response($html);
}
function show_action($id)
{
$post = get_post_by_id($id);
$html = render_template('templates/show.php', array('post' => $post));
return new Response($html);
}

// helper function to render templates
function render_template($path, array $args)
{
extract($args);
ob_start();
require $path;
$html = ob_get_clean();
return $html;
}

By bringing in a small part of Symfony, the application is more flexible and reliable. The Request
provides a dependable way to access information about the HTTP request. Specifically, the
getPathInfo() method returns a cleaned URI (always returning /show and never /index.php/show).
So, even if the user goes to /index.php/show, the application is intelligent enough to route the request
through show_action().
The Response object gives flexibility when constructing the HTTP response, allowing HTTP headers
and content to be added via an object-oriented interface. And while the responses in this application are
simple, this flexibility will pay dividends as your application grows.

The Sample Application in Symfony
The blog has come a long way, but it still contains a lot of code for such a simple application. Along
the way, you've made a simple routing system and a method using ob_start() and ob_get_clean() to
render templates. If, for some reason, you needed to continue building this "framework" from scratch,
you could at least use Symfony's standalone Routing5 and Templating6 components, which already solve
these problems.
Instead of re-solving common problems, you can let Symfony take care of them for you. Here's the same
sample application, now built in Symfony:
Listing 2-18

1
2
3
4
5
6
7
8
9
10

// src/Acme/BlogBundle/Controller/BlogController.php
namespace Acme\BlogBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class BlogController extends Controller
{
public function listAction()
{
$posts = $this->get('doctrine')

5. https://github.com/symfony/Routing
6. https://github.com/symfony/Templating

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 22

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38 }

->getManager()
->createQuery('SELECT p FROM AcmeBlogBundle:Post p')
->execute();
return $this->render(
'AcmeBlogBundle:Blog:list.html.php',
array('posts' => $posts)
);
}
public function showAction($id)
{
$post = $this->get('doctrine')
->getManager()
->getRepository('AcmeBlogBundle:Post')
->find($id);
if (!$post) {
// cause the 404 page not found to be displayed
throw $this->createNotFoundException();
}
return $this->render(
'AcmeBlogBundle:Blog:show.html.php',
array('post' => $post)
);
}

The two controllers are still lightweight. Each uses the Doctrine ORM library to retrieve objects from
the database and the Templating component to render a template and return a Response object. The list
template is now quite a bit simpler:
Listing 2-19

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

<!-- src/Acme/BlogBundle/Resources/views/Blog/list.html.php -->
<?php $view->extend('::layout.html.php') ?>
<?php $view['slots']->set('title', 'List of Posts') ?>
<h1>List of Posts</h1>
<ul>
<?php foreach ($posts as $post): ?>
<li>
<a href="<?php echo $view['router']->generate(
'blog_show',
array('id' => $post->getId())
) ?>">
<?php echo $post->getTitle() ?>
</a>
</li>
<?php endforeach; ?>
</ul>

The layout is nearly identical:
Listing 2-20

1 <!-- app/Resources/views/layout.html.php -->
2 <!DOCTYPE html>
3 <html>

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 23

4
<head>
5
<title><?php echo $view['slots']->output(
6
'title',
7
'Default title'
8
) ?></title>
9
</head>
10
<body>
11
<?php echo $view['slots']->output('_content') ?>
12
</body>
13 </html>

The show template is left as an exercise, as it should be trivial to create based on the list template.

When Symfony's engine (called the Kernel) boots up, it needs a map so that it knows which controllers
to execute based on the request information. A routing configuration map provides this information in a
readable format:
Listing 2-21

1 # app/config/routing.yml
2 blog_list:
3
path:
/blog
4
defaults: { _controller: AcmeBlogBundle:Blog:list }
5
6 blog_show:
7
path:
/blog/show/{id}
8
defaults: { _controller: AcmeBlogBundle:Blog:show }

Now that Symfony is handling all the mundane tasks, the front controller is dead simple. And since it
does so little, you'll never have to touch it once it's created (and if you use a Symfony distribution, you
won't even need to create it!):
Listing 2-22

1
2
3
4
5
6
7
8

// web/app.php
require_once __DIR__.'/../app/bootstrap.php';
require_once __DIR__.'/../app/AppKernel.php';
use Symfony\Component\HttpFoundation\Request;
$kernel = new AppKernel('prod', false);
$kernel->handle(Request::createFromGlobals())->send();

The front controller's only job is to initialize Symfony's engine (Kernel) and pass it a Request object to
handle. Symfony's core then uses the routing map to determine which controller to call. Just like before,
the controller method is responsible for returning the final Response object. There's really not much else
to it.
For a visual representation of how Symfony handles each request, see the request flow diagram.

Where Symfony Delivers
In the upcoming chapters, you'll learn more about how each piece of Symfony works and the
recommended organization of a project. For now, have a look at how migrating the blog from flat PHP
to Symfony has improved life:

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 24

• Your application now has clear and consistently organized code (though Symfony doesn't
force you into this). This promotes reusability and allows for new developers to be productive
in your project more quickly;
• 100% of the code you write is for your application. You don't need to develop or maintain
low-level utilities such as autoloading, routing, or rendering controllers;
• Symfony gives you access to open source tools such as Doctrine and the Templating,
Security, Form, Validation and Translation components (to name a few);
• The application now enjoys fully-flexible URLs thanks to the Routing component;
• Symfony's HTTP-centric architecture gives you access to powerful tools such as HTTP
caching powered by Symfony's internal HTTP cache or more powerful tools such as
Varnish7. This is covered in a later chapter all about caching.
And perhaps best of all, by using Symfony, you now have access to a whole set of high-quality open
source tools developed by the Symfony community! A good selection of Symfony community tools
can be found on KnpBundles.com8.

Better Templates
If you choose to use it, Symfony comes standard with a templating engine called Twig9 that makes
templates faster to write and easier to read. It means that the sample application could contain even less
code! Take, for example, the list template written in Twig:
Listing 2-23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

{# src/Acme/BlogBundle/Resources/views/Blog/list.html.twig #}
{% extends "::layout.html.twig" %}
{% block title %}List of Posts{% endblock %}
{% block body %}
<h1>List of Posts</h1>
<ul>
{% for post in posts %}
<li>
<a href="{{ path('blog_show', {'id': post.id}) }}">
{{ post.title }}
</a>
</li>
{% endfor %}
</ul>
{% endblock %}

The corresponding layout.html.twig template is also easier to write:
Listing 2-24

1
2
3
4
5
6
7
8
9
10

{# app/Resources/views/layout.html.twig #}
<!DOCTYPE html>
<html>
<head>
<title>{% block title %}Default title{% endblock %}</title>
</head>
<body>
{% block body %}{% endblock %}
</body>
</html>

7. https://www.varnish-cache.org/
8. http://knpbundles.com/
9. http://twig.sensiolabs.org

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 25

Twig is well-supported in Symfony. And while PHP templates will always be supported in Symfony, the
many advantages of Twig will continue to be discussed. For more information, see the templating chapter.

Learn more from the Cookbook
• How to Use PHP instead of Twig for Templates
• How to Define Controllers as Services

PDF brought to you by
generated on October 9, 2014

Chapter 2: Symfony versus Flat PHP | 26

Chapter 3

Installing and Configuring Symfony
The goal of this chapter is to get you up and running with a working application built on top of Symfony.
Fortunately, Symfony offers "distributions", which are functional Symfony "starter" projects that you can
download and begin developing in immediately.
If you're looking for instructions on how best to create a new project and store it via source control,
see Using Source Control.

Installing a Symfony Distribution
First, check that you have installed and configured a Web server (such as Apache) with PHP. For
more information on Symfony requirements, see the requirements reference.

Symfony packages "distributions", which are fully-functional applications that include the Symfony core
libraries, a selection of useful bundles, a sensible directory structure and some default configuration.
When you download a Symfony distribution, you're downloading a functional application skeleton that
can be used immediately to begin developing your application.
Start by visiting the Symfony download page at http://symfony.com/download1. On this page, you'll see the
Symfony Standard Edition, which is the main Symfony distribution. There are 2 ways to get your project
started:

Option 1) Composer
Composer2 is a dependency management library for PHP, which you can use to download the Symfony
Standard Edition.

1. http://symfony.com/download
2. http://getcomposer.org/

PDF brought to you by
generated on October 9, 2014

Chapter 3: Installing and Configuring Symfony | 27

Start by downloading Composer3 anywhere onto your local computer. If you have curl installed, it's as
easy as:
Listing 3-1

1 $ curl -s https://getcomposer.org/installer | php

If your computer is not ready to use Composer, you'll see some recommendations when running
this command. Follow those recommendations to get Composer working properly.

Composer is an executable PHAR file, which you can use to download the Standard Distribution:
Listing 3-2

1 $ php composer.phar create-project symfony/framework-standard-edition /path/to/webroot/
Symfony '2.3.*'

To download the vendor files faster, add the --prefer-dist option at the end of any Composer
command.

This command may take several minutes to run as Composer downloads the Standard Distribution along
with all of the vendor libraries that it needs. When it finishes, you should have a directory that looks
something like this:
Listing 3-3

1 path/to/webroot/ <- your web server directory (sometimes named htdocs or public)
2
Symfony/ <- the new directory
3
app/
4
cache/
5
config/
6
logs/
7
src/
8
...
9
vendor/
10
...
11
web/
12
app.php
13
...

Option 2) Download an Archive
You can also download an archive of the Standard Edition. Here, you'll need to make two choices:
• Download either a .tgz or .zip archive - both are equivalent, download whatever you're more
comfortable using;
• Download the distribution with or without vendors. If you're planning on using more thirdparty libraries or bundles and managing them via Composer, you should probably download
"without vendors".
Download one of the archives somewhere under your local web server's root directory and unpack it.
From a UNIX command line, this can be done with one of the following commands (replacing ### with
your actual filename):
Listing 3-4

3. http://getcomposer.org/download/

PDF brought to you by
generated on October 9, 2014

Chapter 3: Installing and Configuring Symfony | 28

1
2
3
4
5

# for .tgz file
$ tar zxvf Symfony_Standard_Vendors_2.3.###.tgz
# for a .zip file
$ unzip Symfony_Standard_Vendors_2.3.###.zip

If you've downloaded "without vendors", you'll definitely need to read the next section.
You can easily override the default directory structure. See How to Override Symfony's default
Directory Structure for more information.

All public files and the front controller that handles incoming requests in a Symfony application live in
the Symfony/web/ directory. So, assuming you unpacked the archive into your web server's or virtual
host's document root, your application's URLs will start with http://localhost/Symfony/web/.
The following examples assume you don't touch the document root settings so all URLs start with
http://localhost/Symfony/web/

Updating Vendors
At this point, you've downloaded a fully-functional Symfony project in which you'll start to develop your
own application. A Symfony project depends on a number of external libraries. These are downloaded
into the vendor/ directory of your project via a library called Composer4.
Depending on how you downloaded Symfony, you may or may not need to update your vendors right
now. But, updating your vendors is always safe, and guarantees that you have all the vendor libraries you
need.
Step 1: Get Composer5 (The great new PHP packaging system)
Listing 3-5

1 $ curl -s http://getcomposer.org/installer | php

Make sure you download composer.phar in the same folder where the composer.json file is located
(this is your Symfony project root by default).
Step 2: Install vendors
Listing 3-6

1 $ php composer.phar install

This command downloads all of the necessary vendor libraries - including Symfony itself - into the
vendor/ directory.
If you don't have curl installed, you can also just download the installer file manually at
http://getcomposer.org/installer6. Place this file into your project and then run:
Listing 3-7

1 $ php installer
2 $ php composer.phar install

4. http://getcomposer.org/
5. http://getcomposer.org/

PDF brought to you by
generated on October 9, 2014

Chapter 3: Installing and Configuring Symfony | 29

When running php composer.phar install or php composer.phar update, Composer will
execute post install/update commands to clear the cache and install assets. By default, the assets
will be copied into your web directory.
Instead of copying your Symfony assets, you can create symlinks if your operating system supports
it. To create symlinks, add an entry in the extra node of your composer.json file with the key
symfony-assets-install and the value symlink:
Listing 3-8

"extra": {
"symfony-app-dir": "app",
"symfony-web-dir": "web",
"symfony-assets-install": "symlink"
}

When passing relative instead of symlink to symfony-assets-install, the command will generate
relative symlinks.

Configuration and Setup
At this point, all of the needed third-party libraries now live in the vendor/ directory. You also have a
default application setup in app/ and some sample code inside the src/ directory.
Symfony comes with a visual server configuration tester to help make sure your Web server and PHP are
configured to use Symfony. Use the following URL to check your configuration:
Listing 3-9

1 http://localhost/config.php

If there are any issues, correct them now before moving on.

6. http://getcomposer.org/installer

PDF brought to you by
generated on October 9, 2014

Chapter 3: Installing and Configuring Symfony | 30

Setting up Permissions
One common issue is that the app/cache and app/logs directories must be writable both by the
web server and the command line user. On a UNIX system, if your web server user is different from
your command line user, you can run the following commands just once in your project to ensure
that permissions will be setup properly.
1. Using ACL on a system that supports chmod +a
Many systems allow you to use the chmod +a command. Try this first, and if you get an error try the next method. This uses a command to try to determine your web server user and set it as
HTTPDUSER:
Listing 3-10

1
2
3
4
5
6

$ rm -rf app/cache/*
$ rm -rf app/logs/*
$ HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v
root | head -1 | cut -d\ -f1`
$ sudo chmod +a "$HTTPDUSER allow delete,write,append,file_inherit,directory_inherit"
app/cache app/logs
$ sudo chmod +a "`whoami` allow delete,write,append,file_inherit,directory_inherit"
app/cache app/logs

2. Using ACL on a system that does not support chmod +a
Some systems don't support chmod +a, but do support another utility called setfacl. You may
need to enable ACL support7 on your partition and install setfacl before using it (as is the case with
Ubuntu). This uses a command to try to determine your web server user and set it as HTTPDUSER:
Listing 3-11

1 $ HTTPDUSER=`ps aux | grep -E '[a]pache|[h]ttpd|[_]www|[w]ww-data|[n]ginx' | grep -v
2 root | head -1 | cut -d\ -f1`
3 $ sudo setfacl -R -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX app/cache app/logs
$ sudo setfacl -dR -m u:"$HTTPDUSER":rwX -m u:`whoami`:rwX app/cache app/logs

If this doesn't work, try adding -n option.
3. Without using ACL
If you don't have access to changing the ACL of the directories, you will need to change the umask
so that the cache and log directories will be group-writable or world-writable (depending if the
web server user and the command line user are in the same group or not). To achieve this, put the
following line at the beginning of the app/console, web/app.php and web/app_dev.php files:
Listing 3-12

1 umask(0002); // This will let the permissions be 0775
2
3 // or
4
5 umask(0000); // This will let the permissions be 0777

Note that using the ACL is recommended when you have access to them on your server because
changing the umask is not thread-safe.
4. Use the same user for the CLI and the web server
In development environments, it is a common practice to use the same unix user for the CLI and
the web server because it avoids any of these permissions issues when setting up new projects. This
can be done by editing your web server configuration (e.g. commonly httpd.conf or apache2.conf
for Apache) and setting its user to be the same as your CLI user (e.g. for Apache, update the User
and Group values).

7. https://help.ubuntu.com/community/FilePermissionsACLs

PDF brought to you by
generated on October 9, 2014

Chapter 3: Installing and Configuring Symfony | 31

When everything is fine, click on "Go to the Welcome page" to request your first "real" Symfony
webpage:
Listing 3-13

1 http://localhost/app_dev.php/

Symfony should welcome and congratulate you for your hard work so far!

To get nice and short urls you should point the document root of your webserver or virtual host
to the Symfony/web/ directory. Though this is not required for development it is recommended
at the time your application goes into production as all system and configuration files become
inaccessible to clients then. For information on configuring your specific web server document
root, read Configuring a Web Server or consult the official documentation of your webserver:
Apache8 | Nginx9 .

Beginning Development
Now that you have a fully-functional Symfony application, you can begin development! Your distribution
may contain some sample code - check the README.md file included with the distribution (open it as a
text file) to learn about what sample code was included with your distribution.
If you're new to Symfony, check out "Creating Pages in Symfony", where you'll learn how to create pages,
change configuration, and do everything else you'll need in your new application.
Be sure to also check out the Cookbook, which contains a wide variety of articles about solving specific
problems with Symfony.
If you want to remove the sample code from your distribution, take a look at this cookbook article:
"How to Remove the AcmeDemoBundle"

8. http://httpd.apache.org/docs/current/mod/core.html#documentroot
9. http://wiki.nginx.org/Symfony

PDF brought to you by
generated on October 9, 2014

Chapter 3: Installing and Configuring Symfony | 32

Using Source Control
If you're using a version control system like Git or Subversion, you can setup your version control
system and begin committing your project to it as normal. The Symfony Standard Edition is the starting
point for your new project.
For specific instructions on how best to setup your project to be stored in Git, see How to Create and
Store a Symfony Project in Git.

Ignoring the vendor/ Directory
If you've downloaded the archive without vendors, you can safely ignore the entire vendor/ directory
and not commit it to source control. With Git, this is done by creating and adding the following to a
.gitignore file:
Listing 3-14

1 /vendor/

Now, the vendor directory won't be committed to source control. This is fine (actually, it's great!) because
when someone else clones or checks out the project, they can simply run the php composer.phar
install script to install all the necessary project dependencies.

PDF brought to you by
generated on October 9, 2014

Chapter 3: Installing and Configuring Symfony | 33

Chapter 4

Creating Pages in Symfony
Creating a new page in Symfony is a simple two-step process:
• Create a route: A route defines the URL (e.g. /about) to your page and specifies a controller
(which is a PHP function) that Symfony should execute when the URL of an incoming request
matches the route path;
• Create a controller: A controller is a PHP function that takes the incoming request and
transforms it into the Symfony Response object that's returned to the user.
This simple approach is beautiful because it matches the way that the Web works. Every interaction on
the Web is initiated by an HTTP request. The job of your application is simply to interpret the request
and return the appropriate HTTP response.
Symfony follows this philosophy and provides you with tools and conventions to keep your application
organized as it grows in users and complexity.

Environments & Front Controllers
Every Symfony application runs within an environment. An environment is a specific set of configuration
and loaded bundles, represented by a string. The same application can be run with different
configurations by running the application in different environments. Symfony comes with three
environments defined — dev, test and prod — but you can create your own as well.
Environments are useful by allowing a single application to have a dev environment built for debugging
and a production environment optimized for speed. You might also load specific bundles based on
the selected environment. For example, Symfony comes with the WebProfilerBundle (described below),
enabled only in the dev and test environments.
Symfony comes with two web-accessible front controllers: app_dev.php provides the dev environment,
and app.php provides the prod environment. All web accesses to Symfony normally go through one of
these front controllers. (The test environment is normally only used when running unit tests, and so
doesn't have a dedicated front controller. The console tool also provides a front controller that can be
used with any environment.)
When the front controller initializes the kernel, it provides two parameters: the environment, and also
whether the kernel should run in debug mode. To make your application respond faster, Symfony

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 34

maintains a cache under the app/cache/ directory. When debug mode is enabled (such as app_dev.php
does by default), this cache is flushed automatically whenever you make changes to any code or
configuration. When running in debug mode, Symfony runs slower, but your changes are reflected
without having to manually clear the cache.

The "Random Number" Page
In this chapter, you'll develop an application that can generate random numbers. When you're finished,
the user will be able to get a random number between 1 and the upper limit set by the URL:
Listing 4-1

1 http://localhost/app_dev.php/random/100

Actually, you'll be able to replace 100 with any other number to generate numbers up to that upper limit.
To create the page, follow the simple two-step process.
The tutorial assumes that you've already downloaded Symfony and configured your webserver.
The above URL assumes that localhost points to the web directory of your new Symfony project.
For detailed information on this process, see the documentation on the web server you are using.
Here are some relevant documentation pages for the web server you might be using:
• For Apache HTTP Server, refer to Apache's DirectoryIndex documentation1
• For Nginx, refer to Nginx HttpCoreModule location documentation2

Before you begin: Create the Bundle
Before you begin, you'll need to create a bundle. In Symfony, a bundle is like a plugin, except that all of
the code in your application will live inside a bundle.
A bundle is nothing more than a directory that houses everything related to a specific feature, including
PHP classes, configuration, and even stylesheets and JavaScript files (see The Bundle System).
Depending on the way you installed Symfony, you may already have a bundle called AcmeDemoBundle.
Browse the src/ directory of your project and check if there is a DemoBundle/ directory inside an Acme/
directory. If those directories already exist, skip the rest of this section and go directly to create the route.
To create a bundle called AcmeDemoBundle (a play bundle that you'll build in this chapter), run the
following command and follow the on-screen instructions (use all of the default options):
Listing 4-2

1 $ php app/console generate:bundle --namespace=Acme/DemoBundle --format=yml

Behind the scenes, a directory is created for the bundle at src/Acme/DemoBundle. A line is also
automatically added to the app/AppKernel.php file so that the bundle is registered with the kernel:
Listing 4-3

1 // app/AppKernel.php
2 public function registerBundles()
3 {
4
$bundles = array(
5
...,
6
new Acme\DemoBundle\AcmeDemoBundle(),
7
);
8
// ...

1. http://httpd.apache.org/docs/current/mod/mod_dir.html
2. http://wiki.nginx.org/HttpCoreModule#location

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 35

9
10
11 }

return $bundles;

Now that you have a bundle setup, you can begin building your application inside the bundle.

Step 1: Create the Route
By default, the routing configuration file in a Symfony application is located at app/config/
routing.yml. Like all configuration in Symfony, you can also choose to use XML or PHP out of the box
to configure routes.
If you look at the main routing file, you'll see that Symfony already added an entry when you generated
the AcmeDemoBundle:
Listing 4-4

1 # app/config/routing.yml
2 acme_website:
3
resource: "@AcmeDemoBundle/Resources/config/routing.yml"
4
prefix:
/

This entry is pretty basic: it tells Symfony to load routing configuration from the Resources/config/
routing.yml (routing.xml or routing.php in the XML and PHP code example respectively) file that
lives inside the AcmeDemoBundle. This means that you place routing configuration directly in app/
config/routing.yml or organize your routes throughout your application, and import them from here.
You are not limited to load routing configurations that are of the same format. For example, you
could also load a YAML file in an XML configuration and vice versa.

Now that the routing.yml file from the bundle is being imported, add the new route that defines the
URL of the page that you're about to create:
Listing 4-5

1 # src/Acme/DemoBundle/Resources/config/routing.yml
2 random:
3
path:
/random/{limit}
4
defaults: { _controller: AcmeDemoBundle:Random:index }

The routing consists of two basic pieces: the path, which is the URL that this route will match, and a
defaults array, which specifies the controller that should be executed. The placeholder syntax in the
path ({limit}) is a wildcard. It means that /random/10, /random/327 or any other similar URL will
match this route. The {limit} placeholder parameter will also be passed to the controller so that you
can use its value to generate the proper random number.
The routing system has many more great features for creating flexible and powerful URL structures
in your application. For more details, see the chapter all about Routing.

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 36

Step 2: Create the Controller
When a URL such as /random/10 is handled by the application, the random route is matched and the
AcmeDemoBundle:Random:index controller is executed by the framework. The second step of the pagecreation process is to create that controller.
The controller - AcmeDemoBundle:Random:index is the logical name of the controller, and it maps to the
indexAction method of a PHP class called Acme\DemoBundle\Controller\RandomController. Start by
creating this file inside your AcmeDemoBundle:
Listing 4-6

1
2
3
4
5
6

// src/Acme/DemoBundle/Controller/RandomController.php
namespace Acme\DemoBundle\Controller;
class RandomController
{
}

In reality, the controller is nothing more than a PHP method that you create and Symfony executes. This
is where your code uses information from the request to build and prepare the resource being requested.
Except in some advanced cases, the end product of a controller is always the same: a Symfony Response
object.
Create the indexAction method that Symfony will execute when the random route is matched:
Listing 4-7

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/DemoBundle/Controller/RandomController.php
namespace Acme\DemoBundle\Controller;
use Symfony\Component\HttpFoundation\Response;
class RandomController
{
public function indexAction($limit)
{
return new Response('<html><body>Number: '.rand(1, $limit).'</body></html>');
}
}

The controller is simple: it creates a new Response object, whose first argument is the content that should
be used in the response (a small HTML page in this example).
Congratulations! After creating only a route and a controller, you already have a fully-functional page! If
you've setup everything correctly, your application should generate a random number for you:
Listing 4-8

1 http://localhost/app_dev.php/random/10

You can also view your app in the "prod" environment by visiting:
Listing 4-9

1 http://localhost/app.php/random/10

If you get an error, it's likely because you need to clear your cache by running:
Listing 4-10

1 $ php app/console cache:clear --env=prod --no-debug

An optional, but common, third step in the process is to create a template.

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 37

Controllers are the main entry point for your code and a key ingredient when creating pages. Much
more information can be found in the Controller Chapter.

Optional Step 3: Create the Template
Templates allow you to move all of the presentation (e.g. HTML code) into a separate file and reuse
different portions of the page layout. Instead of writing the HTML inside the controller, render a template
instead:
Listing 4-11

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

// src/Acme/DemoBundle/Controller/RandomController.php
namespace Acme\DemoBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class RandomController extends Controller
{
public function indexAction($limit)
{
$number = rand(1, $limit);
return $this->render(
'AcmeDemoBundle:Random:index.html.twig',
array('number' => $number)
);

// render a PHP template instead
// return $this->render(
//
'AcmeDemoBundle:Random:index.html.php',
//
array('number' => $number)
// );
}
}

In order to use the render()3 method, your controller must extend the Controller4 class, which
adds shortcuts for tasks that are common inside controllers. This is done in the above example by
adding the use statement on line 4 and then extending Controller on line 6.

The render() method creates a Response object filled with the content of the given, rendered template.
Like any other controller, you will ultimately return that Response object.
Notice that there are two different examples for rendering the template. By default, Symfony supports
two different templating languages: classic PHP templates and the succinct but powerful Twig5 templates.
Don't be alarmed - you're free to choose either or even both in the same project.
The controller renders the AcmeDemoBundle:Random:index.html.twig template, which uses the
following naming convention:
BundleName:ControllerName:TemplateName

3. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Controller/Controller.html#render()
4. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Controller/Controller.html
5. http://twig.sensiolabs.org

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 38

This is the logical name of the template, which is mapped to a physical location using the following
convention.
/path/to/BundleName/Resources/views/ControllerName/TemplateName
In this case, AcmeDemoBundle is the bundle name, Random is the controller, and index.html.twig the
template:
Listing 4-12

{# src/Acme/DemoBundle/Resources/views/Random/index.html.twig #}
{% extends '::base.html.twig' %}

1
2
3
4
5
6

{% block body %}
Number: {{ number }}
{% endblock %}

Step through the Twig template line-by-line:
• line 2: The extends token defines a parent template. The template explicitly defines a layout
file inside of which it will be placed.
• line 4: The block token says that everything inside should be placed inside a block called body.
As you'll see, it's the responsibility of the parent template (base.html.twig) to ultimately
render the block called body.
The parent template, ::base.html.twig, is missing both the BundleName and ControllerName
portions of its name (hence the double colon (::) at the beginning). This means that the template lives
outside of the bundles and in the app directory:
Listing 4-13

1
2
3
4
5
6
7
8
9
10
11
12
13
14

{# app/Resources/views/base.html.twig #}
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>{% block title %}Welcome!{% endblock %}</title>
{% block stylesheets %}{% endblock %}
<link rel="shortcut icon" href="{{ asset('favicon.ico') }}" />
</head>
<body>
{% block body %}{% endblock %}
{% block javascripts %}{% endblock %}
</body>
</html>

The base template file defines the HTML layout and renders the body block that you defined in the
index.html.twig template. It also renders a title block, which you could choose to define in the
index.html.twig template. Since you did not define the title block in the child template, it defaults to
"Welcome!".
Templates are a powerful way to render and organize the content for your page. A template can render
anything, from HTML markup, to CSS code, or anything else that the controller may need to return.
In the lifecycle of handling a request, the templating engine is simply an optional tool. Recall that the
goal of each controller is to return a Response object. Templates are a powerful, but optional, tool for
creating the content for that Response object.

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 39

The Directory Structure
After just a few short sections, you already understand the philosophy behind creating and rendering
pages in Symfony. You've also already begun to see how Symfony projects are structured and organized.
By the end of this section, you'll know where to find and put different types of files and why.
Though entirely flexible, by default, each Symfony application has the same basic and recommended
directory structure:





app/: This directory contains the application configuration;
src/: All the project PHP code is stored under this directory;
vendor/: Any vendor libraries are placed here by convention;
web/: This is the web root directory and contains any publicly accessible files;

The Web Directory
The web root directory is the home of all public and static files including images, stylesheets, and
JavaScript files. It is also where each front controller lives:
Listing 4-14

1
2
3
4
5
6
7
8
9

// web/app.php
require_once __DIR__.'/../app/bootstrap.php.cache';
require_once __DIR__.'/../app/AppKernel.php';
use Symfony\Component\HttpFoundation\Request;
$kernel = new AppKernel('prod', false);
$kernel->loadClassCache();
$kernel->handle(Request::createFromGlobals())->send();

The front controller file (app.php in this example) is the actual PHP file that's executed when using a
Symfony application and its job is to use a Kernel class, AppKernel, to bootstrap the application.
Having a front controller means different and more flexible URLs than are used in a typical flat
PHP application. When using a front controller, URLs are formatted in the following way:
Listing 4-15

1 http://localhost/app.php/random/10

The front controller, app.php, is executed and the "internal:" URL /random/10 is routed internally
using the routing configuration. By using Apache mod_rewrite rules, you can force the app.php
file to be executed without needing to specify it in the URL:
Listing 4-16

1 http://localhost/random/10

Though front controllers are essential in handling every request, you'll rarely need to modify or even think
about them. They'll be mentioned again briefly in the Environments section.

The Application (app) Directory
As you saw in the front controller, the AppKernel class is the main entry point of the application and is
responsible for all configuration. As such, it is stored in the app/ directory.

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 40

This class must implement two methods that define everything that Symfony needs to know about your
application. You don't even need to worry about these methods when starting - Symfony fills them in for
you with sensible defaults.
• registerBundles(): Returns an array of all bundles needed to run the application (see The
Bundle System);
• registerContainerConfiguration(): Loads the main application configuration resource file
(see the Application Configuration section).
In day-to-day development, you'll mostly use the app/ directory to modify configuration and routing
files in the app/config/ directory (see Application Configuration). It also contains the application cache
directory (app/cache), a log directory (app/logs) and a directory for application-level resource files, such
as templates (app/Resources). You'll learn more about each of these directories in later chapters.

Autoloading
When Symfony is loading, a special file - vendor/autoload.php - is included. This file is created by
Composer and will autoload all application files living in the src/ folder as well as all third-party
libraries mentioned in the composer.json file.
Because of the autoloader, you never need to worry about using include or require statements.
Instead, Composer uses the namespace of a class to determine its location and automatically
includes the file on your behalf the instant you need a class.
The autoloader is already configured to look in the src/ directory for any of your PHP classes. For
autoloading to work, the class name and path to the file have to follow the same pattern:
Listing 4-17

1 Class Name:
2
Acme\DemoBundle\Controller\RandomController
3 Path:
4
src/Acme/DemoBundle/Controller/RandomController.php

The Source (src) Directory
Put simply, the src/ directory contains all of the actual code (PHP code, templates, configuration files,
stylesheets, etc) that drives your application. When developing, the vast majority of your work will be
done inside one or more bundles that you create in this directory.
But what exactly is a bundle?

The Bundle System
A bundle is similar to a plugin in other software, but even better. The key difference is that everything
is a bundle in Symfony, including both the core framework functionality and the code written for your
application. Bundles are first-class citizens in Symfony. This gives you the flexibility to use pre-built
features packaged in third-party bundles6 or to distribute your own bundles. It makes it easy to pick and
choose which features to enable in your application and to optimize them the way you want.
While you'll learn the basics here, an entire cookbook entry is devoted to the organization and best
practices of bundles.

6. http://knpbundles.com

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 41

A bundle is simply a structured set of files within a directory that implement a single feature. You might
create a BlogBundle, a ForumBundle or a bundle for user management (many of these exist already as
open source bundles). Each directory contains everything related to that feature, including PHP files,
templates, stylesheets, JavaScripts, tests and anything else. Every aspect of a feature exists in a bundle
and every feature lives in a bundle.
An application is made up of bundles as defined in the registerBundles() method of the AppKernel
class:
Listing 4-18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

// app/AppKernel.php
public function registerBundles()
{
$bundles = array(
new Symfony\Bundle\FrameworkBundle\FrameworkBundle(),
new Symfony\Bundle\SecurityBundle\SecurityBundle(),
new Symfony\Bundle\TwigBundle\TwigBundle(),
new Symfony\Bundle\MonologBundle\MonologBundle(),
new Symfony\Bundle\SwiftmailerBundle\SwiftmailerBundle(),
new Symfony\Bundle\DoctrineBundle\DoctrineBundle(),
new Symfony\Bundle\AsseticBundle\AsseticBundle(),
new Sensio\Bundle\FrameworkExtraBundle\SensioFrameworkExtraBundle(),
);
if (in_array($this->getEnvironment(), array('dev', 'test'))) {
$bundles[] = new Acme\DemoBundle\AcmeDemoBundle();
$bundles[] = new Symfony\Bundle\WebProfilerBundle\WebProfilerBundle();
$bundles[] = new Sensio\Bundle\DistributionBundle\SensioDistributionBundle();
$bundles[] = new Sensio\Bundle\GeneratorBundle\SensioGeneratorBundle();
}
return $bundles;
}

With the registerBundles() method, you have total control over which bundles are used by your
application (including the core Symfony bundles).
A bundle can live anywhere as long as it can be autoloaded (via the autoloader configured at app/
autoload.php).

Creating a Bundle
The Symfony Standard Edition comes with a handy task that creates a fully-functional bundle for you.
Of course, creating a bundle by hand is pretty easy as well.
To show you how simple the bundle system is, create a new bundle called AcmeTestBundle and enable
it.
The Acme portion is just a dummy name that should be replaced by some "vendor" name that
represents you or your organization (e.g. ABCTestBundle for some company named ABC).

Start by creating a src/Acme/TestBundle/ directory and adding a new file called AcmeTestBundle.php:
Listing 4-19

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 42

// src/Acme/TestBundle/AcmeTestBundle.php
namespace Acme\TestBundle;

1
2
3
4
5
6
7
8

use Symfony\Component\HttpKernel\Bundle\Bundle;
class AcmeTestBundle extends Bundle
{
}

The name AcmeTestBundle follows the standard Bundle naming conventions. You could also
choose to shorten the name of the bundle to simply TestBundle by naming this class TestBundle
(and naming the file TestBundle.php).

This empty class is the only piece you need to create the new bundle. Though commonly empty, this
class is powerful and can be used to customize the behavior of the bundle.
Now that you've created the bundle, enable it via the AppKernel class:
Listing 4-20

1
2
3
4
5
6
7
8
9
10
11
12

// app/AppKernel.php
public function registerBundles()
{
$bundles = array(
...,
// register your bundles
new Acme\TestBundle\AcmeTestBundle(),
);
// ...
return $bundles;
}

And while it doesn't do anything yet, AcmeTestBundle is now ready to be used.
And as easy as this is, Symfony also provides a command-line interface for generating a basic bundle
skeleton:
Listing 4-21

1 $ php app/console generate:bundle --namespace=Acme/TestBundle

The bundle skeleton generates with a basic controller, template and routing resource that can be
customized. You'll learn more about Symfony's command-line tools later.
Whenever creating a new bundle or using a third-party bundle, always make sure the bundle has
been enabled in registerBundles(). When using the generate:bundle command, this is done
for you.

Bundle Directory Structure
The directory structure of a bundle is simple and flexible. By default, the bundle system follows a
set of conventions that help to keep code consistent between all Symfony bundles. Take a look at
AcmeDemoBundle, as it contains some of the most common elements of a bundle:
• Controller/ contains the controllers of the bundle (e.g. RandomController.php);

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 43

• DependencyInjection/ holds certain dependency injection extension classes, which may
import service configuration, register compiler passes or more (this directory is not necessary);
• Resources/config/ houses configuration, including routing configuration (e.g.
routing.yml);
• Resources/views/ holds templates organized by controller name (e.g. Hello/
index.html.twig);
• Resources/public/ contains web assets (images, stylesheets, etc) and is copied or
symbolically linked into the project web/ directory via the assets:install console command;
• Tests/ holds all tests for the bundle.
A bundle can be as small or large as the feature it implements. It contains only the files you need and
nothing else.
As you move through the book, you'll learn how to persist objects to a database, create and validate
forms, create translations for your application, write tests and much more. Each of these has their own
place and role within the bundle.

Application Configuration
An application consists of a collection of bundles representing all of the features and capabilities of your
application. Each bundle can be customized via configuration files written in YAML, XML or PHP. By
default, the main configuration file lives in the app/config/ directory and is called either config.yml,
config.xml or config.php depending on which format you prefer:
Listing 4-22

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# app/config/config.yml
imports:
- { resource: parameters.yml }
- { resource: security.yml }
framework:
secret:
router:
# ...

"%secret%"
{ resource: "%kernel.root_dir%/config/routing.yml" }

# Twig Configuration
twig:
debug:
"%kernel.debug%"
strict_variables: "%kernel.debug%"
# ...

You'll learn exactly how to load each file/format in the next section Environments.

Each top-level entry like framework or twig defines the configuration for a particular bundle. For
example, the framework key defines the configuration for the core Symfony FrameworkBundle and
includes configuration for the routing, templating, and other core systems.
For now, don't worry about the specific configuration options in each section. The configuration file
ships with sensible defaults. As you read more and explore each part of Symfony, you'll learn about the
specific configuration options of each feature.

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 44

Configuration Formats
Throughout the chapters, all configuration examples will be shown in all three formats (YAML,
XML and PHP). Each has its own advantages and disadvantages. The choice of which to use is up
to you:
• YAML: Simple, clean and readable (learn more about YAML in "The YAML Format");
• XML: More powerful than YAML at times and supports IDE autocompletion;
• PHP: Very powerful but less readable than standard configuration formats.

Default Configuration Dump
You can dump the default configuration for a bundle in YAML to the console using the config:dumpreference command. Here is an example of dumping the default FrameworkBundle configuration:
Listing 4-23

1 $ app/console config:dump-reference FrameworkBundle

The extension alias (configuration key) can also be used:
Listing 4-24

1 $ app/console config:dump-reference framework

See the cookbook article: How to expose a Semantic Configuration for a Bundle for information on
adding configuration for your own bundle.

Environments
An application can run in various environments. The different environments share the same PHP code
(apart from the front controller), but use different configuration. For instance, a dev environment will
log warnings and errors, while a prod environment will only log errors. Some files are rebuilt on each
request in the dev environment (for the developer's convenience), but cached in the prod environment.
All environments live together on the same machine and execute the same application.
A Symfony project generally begins with three environments (dev, test and prod), though creating new
environments is easy. You can view your application in different environments simply by changing the
front controller in your browser. To see the application in the dev environment, access the application
via the development front controller:
Listing 4-25

1 http://localhost/app_dev.php/random/10

If you'd like to see how your application will behave in the production environment, call the prod front
controller instead:
Listing 4-26

1 http://localhost/app.php/random/10

Since the prod environment is optimized for speed; the configuration, routing and Twig templates are
compiled into flat PHP classes and cached. When viewing changes in the prod environment, you'll need
to clear these cached files and allow them to rebuild:
Listing 4-27

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 45

1 $ php app/console cache:clear --env=prod --no-debug

If you open the web/app.php file, you'll find that it's configured explicitly to use the prod
environment:
Listing 4-28

1 $kernel = new AppKernel('prod', false);

You can create a new front controller for a new environment by copying this file and changing prod
to some other value.

The test environment is used when running automated tests and cannot be accessed directly
through the browser. See the testing chapter for more details.

Environment Configuration
The AppKernel class is responsible for actually loading the configuration file of your choice:
Listing 4-29

1
2
3
4
5
6
7

// app/AppKernel.php
public function registerContainerConfiguration(LoaderInterface $loader)
{
$loader->load(
__DIR__.'/config/config_'.$this->getEnvironment().'.yml'
);
}

You already know that the .yml extension can be changed to .xml or .php if you prefer to use either
XML or PHP to write your configuration. Notice also that each environment loads its own configuration
file. Consider the configuration file for the dev environment.
Listing 4-30

1
2
3
4
5
6
7
8
9

# app/config/config_dev.yml
imports:
- { resource: config.yml }
framework:
router:
{ resource: "%kernel.root_dir%/config/routing_dev.yml" }
profiler: { only_exceptions: false }

# ...

The imports key is similar to a PHP include statement and guarantees that the main configuration file
(config.yml) is loaded first. The rest of the file tweaks the default configuration for increased logging
and other settings conducive to a development environment.
Both the prod and test environments follow the same model: each environment imports the base
configuration file and then modifies its configuration values to fit the needs of the specific environment.
This is just a convention, but one that allows you to reuse most of your configuration and customize just
pieces of it between environments.

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 46

Summary
Congratulations! You've now seen every fundamental aspect of Symfony and have hopefully discovered
how easy and flexible it can be. And while there are a lot of features still to come, be sure to keep the
following basic points in mind:
• Creating a page is a three-step process involving a route, a controller and (optionally) a
template;
• Each project contains just a few main directories: web/ (web assets and the front controllers),
app/ (configuration), src/ (your bundles), and vendor/ (third-party code) (there's also a bin/
directory that's used to help updated vendor libraries);
• Each feature in Symfony (including the Symfony framework core) is organized into a bundle,
which is a structured set of files for that feature;
• The configuration for each bundle lives in the Resources/config directory of the bundle and
can be specified in YAML, XML or PHP;
• The global application configuration lives in the app/config directory;
• Each environment is accessible via a different front controller (e.g. app.php and
app_dev.php) and loads a different configuration file.
From here, each chapter will introduce you to more and more powerful tools and advanced concepts.
The more you know about Symfony, the more you'll appreciate the flexibility of its architecture and the
power it gives you to rapidly develop applications.

PDF brought to you by
generated on October 9, 2014

Chapter 4: Creating Pages in Symfony | 47

Chapter 5

Controller
A controller is a PHP function you create that takes information from the HTTP request and constructs
and returns an HTTP response (as a Symfony Response object). The response could be an HTML page,
an XML document, a serialized JSON array, an image, a redirect, a 404 error or anything else you can
dream up. The controller contains whatever arbitrary logic your application needs to render the content
of a page.
See how simple this is by looking at a Symfony controller in action. The following controller would
render a page that simply prints Hello world!:
Listing 5-1

1
2
3
4
5
6

use Symfony\Component\HttpFoundation\Response;
public function helloAction()
{
return new Response('Hello world!');
}

The goal of a controller is always the same: create and return a Response object. Along the way, it might
read information from the request, load a database resource, send an email, or set information on the
user's session. But in all cases, the controller will eventually return the Response object that will be
delivered back to the client.
There's no magic and no other requirements to worry about! Here are a few common examples:
• Controller A prepares a Response object representing the content for the homepage of the site.
• Controller B reads the slug parameter from the request to load a blog entry from the database
and create a Response object displaying that blog. If the slug can't be found in the database,
it creates and returns a Response object with a 404 status code.
• Controller C handles the form submission of a contact form. It reads the form information
from the request, saves the contact information to the database and emails the contact
information to the webmaster. Finally, it creates a Response object that redirects the client's
browser to the contact form "thank you" page.

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 48

Requests, Controller, Response Lifecycle
Every request handled by a Symfony project goes through the same simple lifecycle. The framework takes
care of the repetitive tasks and ultimately executes a controller, which houses your custom application
code:
1. Each request is handled by a single front controller file (e.g. app.php or app_dev.php) that
bootstraps the application;
2. The Router reads information from the request (e.g. the URI), finds a route that matches that
information, and reads the _controller parameter from the route;
3. The controller from the matched route is executed and the code inside the controller creates
and returns a Response object;
4. The HTTP headers and content of the Response object are sent back to the client.
Creating a page is as easy as creating a controller (#3) and making a route that maps a URL to that
controller (#2).
Though similarly named, a "front controller" is different from the "controllers" talked about in this
chapter. A front controller is a short PHP file that lives in your web directory and through which all
requests are directed. A typical application will have a production front controller (e.g. app.php)
and a development front controller (e.g. app_dev.php). You'll likely never need to edit, view or
worry about the front controllers in your application.

A Simple Controller
While a controller can be any PHP callable (a function, method on an object, or a Closure), in Symfony,
a controller is usually a single method inside a controller object. Controllers are also called actions.
Listing 5-2

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/HelloBundle/Controller/HelloController.php
namespace Acme\HelloBundle\Controller;
use Symfony\Component\HttpFoundation\Response;
class HelloController
{
public function indexAction($name)
{
return new Response('<html><body>Hello '.$name.'!</body></html>');
}
}

Note that the controller is the indexAction method, which lives inside a controller class
(HelloController). Don't be confused by the naming: a controller class is simply a convenient
way to group several controllers/actions together. Typically, the controller class will house several
controllers/actions (e.g. updateAction, deleteAction, etc).

This controller is pretty straightforward:
• line 4: Symfony takes advantage of PHP 5.3 namespace functionality to namespace the entire
controller class. The use keyword imports the Response class, which the controller must
return.
• line 6: The class name is the concatenation of a name for the controller class (i.e. Hello)
and the word Controller. This is a convention that provides consistency to controllers and
PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 49

allows them to be referenced only by the first part of the name (i.e. Hello) in the routing
configuration.
• line 8: Each action in a controller class is suffixed with Action and is referenced in the routing
configuration by the action's name (index). In the next section, you'll create a route that maps
a URI to this action. You'll learn how the route's placeholders ({name}) become arguments to
the action method ($name).
• line 10: The controller creates and returns a Response object.

Mapping a URL to a Controller
The new controller returns a simple HTML page. To actually view this page in your browser, you need
to create a route, which maps a specific URL path to the controller:
Listing 5-3

1 # app/config/routing.yml
2 hello:
3
path:
/hello/{name}
4
defaults: { _controller: AcmeHelloBundle:Hello:index }

Going to /hello/ryan now executes the HelloController::indexAction() controller and passes in
ryan for the $name variable. Creating a "page" means simply creating a controller method and associated
route.
Notice the syntax used to refer to the controller: AcmeHelloBundle:Hello:index. Symfony uses a
flexible string notation to refer to different controllers. This is the most common syntax and tells Symfony
to look for a controller class called HelloController inside a bundle named AcmeHelloBundle. The
method indexAction() is then executed.
For more details on the string format used to reference different controllers, see Controller Naming
Pattern.
This example places the routing configuration directly in the app/config/ directory. A better way
to organize your routes is to place each route in the bundle it belongs to. For more information on
this, see Including External Routing Resources.

You can learn much more about the routing system in the Routing chapter.

Route Parameters as Controller Arguments
You already know that the _controller parameter AcmeHelloBundle:Hello:index refers to a
HelloController::indexAction() method that lives inside the AcmeHelloBundle bundle. What's more
interesting is the arguments that are passed to that method:
Listing 5-4

1
2
3
4
5
6
7
8

// src/Acme/HelloBundle/Controller/HelloController.php
namespace Acme\HelloBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class HelloController extends Controller
{
public function indexAction($name)

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 50

9
10
11
12 }

{

// ...
}

The controller has a single argument, $name, which corresponds to the {name} parameter from the
matched route (ryan in the example). In fact, when executing your controller, Symfony matches each
argument of the controller with a parameter from the matched route. Take the following example:
Listing 5-5

1 # app/config/routing.yml
2 hello:
3
path:
/hello/{firstName}/{lastName}
4
defaults: { _controller: AcmeHelloBundle:Hello:index, color: green }

The controller for this can take several arguments:
Listing 5-6

1 public function indexAction($firstName, $lastName, $color)
2 {
3
// ...
4 }

Notice that both placeholder variables ({firstName}, {lastName}) as well as the default color variable
are available as arguments in the controller. When a route is matched, the placeholder variables are
merged with the defaults to make one array that's available to your controller.
Mapping route parameters to controller arguments is easy and flexible. Keep the following guidelines in
mind while you develop.
• The order of the controller arguments does not matter
Symfony is able to match the parameter names from the route to the variable names in
the controller method's signature. In other words, it realizes that the {lastName} parameter
matches up with the $lastName argument. The arguments of the controller could be totally
reordered and still work perfectly:
Listing 5-7

1 public function indexAction($lastName, $color, $firstName)
2 {
3
// ...
4 }

• Each required controller argument must match up with a routing parameter
The following would throw a RuntimeException because there is no foo parameter defined in
the route:
Listing 5-8

1 public function indexAction($firstName, $lastName, $color, $foo)
2 {
3
// ...
4 }

Making the argument optional, however, is perfectly ok. The following example would not
throw an exception:
Listing 5-9

1 public function indexAction($firstName, $lastName, $color, $foo = 'bar')
2 {

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 51

3
4 }

// ...

• Not all routing parameters need to be arguments on your controller
If, for example, the lastName weren't important for your controller, you could omit it entirely:
1 public function indexAction($firstName, $color)
2 {
3
// ...
4 }

Listing 5-10

Every route also has a special _route parameter, which is equal to the name of the route that was
matched (e.g. hello). Though not usually useful, this is equally available as a controller argument.

The Request as a Controller Argument
For convenience, you can also have Symfony pass you the Request object as an argument to your
controller. This is especially convenient when you're working with forms, for example:
Listing 5-11

1
2
3
4
5
6
7
8
9

use Symfony\Component\HttpFoundation\Request;
public function updateAction(Request $request)
{
$form = $this->createForm(...);
$form->handleRequest($request);
// ...
}

Creating Static Pages
You can create a static page without even creating a controller (only a route and template are needed).
Use it! See How to Render a Template without a custom Controller.

The Base Controller Class
For convenience, Symfony comes with a base Controller class that assists with some of the most
common controller tasks and gives your controller class access to any resource it might need. By
extending this Controller class, you can take advantage of several helper methods.
Add the use statement atop the Controller class and then modify the HelloController to extend it:
Listing 5-12

1
2
3
4
5
6

// src/Acme/HelloBundle/Controller/HelloController.php
namespace Acme\HelloBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Response;

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 52

7 class HelloController extends Controller
8 {
9
public function indexAction($name)
10
{
11
return new Response('<html><body>Hello '.$name.'!</body></html>');
12
}
13 }

This doesn't actually change anything about how your controller works. In the next section, you'll learn
about the helper methods that the base controller class makes available. These methods are just shortcuts
to using core Symfony functionality that's available to you with or without the use of the base Controller
class. A great way to see the core functionality in action is to look in the Controller1 class itself.
Extending the base class is optional in Symfony; it contains useful shortcuts but nothing
mandatory. You can also extend ContainerAware2. The service container object will then be
accessible via the container property.

You can also define your Controllers as Services. This is optional, but can give you more control
over the exact dependencies that are injected into your controllers.

Common Controller Tasks
Though a controller can do virtually anything, most controllers will perform the same basic tasks over
and over again. These tasks, such as redirecting, forwarding, rendering templates and accessing core
services, are very easy to manage in Symfony.

Redirecting
If you want to redirect the user to another page, use the redirect() method:
Listing 5-13

1 public function indexAction()
2 {
3
return $this->redirect($this->generateUrl('homepage'));
4 }

The generateUrl() method is just a helper function that generates the URL for a given route. For more
information, see the Routing chapter.
By default, the redirect() method performs a 302 (temporary) redirect. To perform a 301 (permanent)
redirect, modify the second argument:
Listing 5-14

1 public function indexAction()
2 {
3
return $this->redirect($this->generateUrl('homepage'), 301);
4 }

1. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Controller/Controller.html
2. http://api.symfony.com/2.3/Symfony/Component/DependencyInjection/ContainerAware.html

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 53

The redirect() method is simply a shortcut that creates a Response object that specializes in
redirecting the user. It's equivalent to:
Listing 5-15

1 use Symfony\Component\HttpFoundation\RedirectResponse;
2
3 return new RedirectResponse($this->generateUrl('homepage'));

Forwarding
You can also easily forward to another controller internally with the forward()3 method. Instead of
redirecting the user's browser, it makes an internal sub-request, and calls the specified controller. The
forward() method returns the Response object that's returned from that controller:
Listing 5-16

1 public function indexAction($name)
2 {
3
$response = $this->forward('AcmeHelloBundle:Hello:fancy', array(
4
'name' => $name,
5
'color' => 'green',
6
));
7
8
// ... further modify the response or return it directly
9
10
return $response;
11 }

Notice that the forward() method uses the same string representation of the controller used in the
routing configuration. In this case, the target controller class will be HelloController inside some
AcmeHelloBundle. The array passed to the method becomes the arguments on the resulting controller.
This same interface is used when embedding controllers into templates (see Embedding Controllers). The
target controller method should look something like the following:
Listing 5-17

1 public function fancyAction($name, $color)
2 {
3
// ... create and return a Response object
4 }

And just like when creating a controller for a route, the order of the arguments to fancyAction doesn't
matter. Symfony matches the index key names (e.g. name) with the method argument names (e.g. $name).
If you change the order of the arguments, Symfony will still pass the correct value to each variable.

3. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Controller/Controller.html#forward()

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 54

Like other base Controller methods, the forward method is just a shortcut for core Symfony
functionality. A forward can be accomplished directly by duplicating the current request. When
this sub request is executed via the http_kernel service the HttpKernel returns a Response object:
Listing 5-18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

use Symfony\Component\HttpKernel\HttpKernelInterface;
$path = array(
'_controller' => 'AcmeHelloBundle:Hello:fancy',
'name'
=> $name,
'color'
=> 'green',
);
$request = $this->container->get('request');
$subRequest = $request->duplicate(array(), null, $path);
$httpKernel = $this->container->get('http_kernel');
$response = $httpKernel->handle(
$subRequest,
HttpKernelInterface::SUB_REQUEST
);

Rendering Templates
Though not a requirement, most controllers will ultimately render a template that's responsible for
generating the HTML (or other format) for the controller. The renderView() method renders a template
and returns its content. The content from the template can be used to create a Response object:
Listing 5-19

1
2
3
4
5
6
7
8

use Symfony\Component\HttpFoundation\Response;
$content = $this->renderView(
'AcmeHelloBundle:Hello:index.html.twig',
array('name' => $name)
);
return new Response($content);

This can even be done in just one step with the render() method, which returns a Response object
containing the content from the template:
Listing 5-20

1 return $this->render(
2
'AcmeHelloBundle:Hello:index.html.twig',
3
array('name' => $name)
4 );

In both cases, the Resources/views/Hello/index.html.twig template inside the AcmeHelloBundle
will be rendered.
The Symfony templating engine is explained in great detail in the Templating chapter.
You can even avoid calling the render method by using the @Template annotation. See the
FrameworkExtraBundle documentation more details.

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 55

The renderView method is a shortcut to direct use of the templating service. The templating
service can also be used directly:
Listing 5-21

1 $templating = $this->get('templating');
2 $content = $templating->render(
3
'AcmeHelloBundle:Hello:index.html.twig',
4
array('name' => $name)
5 );

It is possible to render templates in deeper subdirectories as well, however be careful to avoid the
pitfall of making your directory structure unduly elaborate:
Listing 5-22

1
2
3
4
5
6

$templating->render(
'AcmeHelloBundle:Hello/Greetings:index.html.twig',
array('name' => $name)
);
// index.html.twig found in Resources/views/Hello/Greetings
// is rendered.

Accessing other Services
When extending the base controller class, you can access any Symfony service via the get() method.
Here are several common services you might need:
Listing 5-23

1 $templating = $this->get('templating');
2
3 $router = $this->get('router');
4
5 $mailer = $this->get('mailer');

There are countless other services available and you are encouraged to define your own. To list all
available services, use the container:debug console command:
Listing 5-24

1 $ php app/console container:debug

For more information, see the Service Container chapter.

Managing Errors and 404 Pages
When things are not found, you should play well with the HTTP protocol and return a 404 response.
To do this, you'll throw a special type of exception. If you're extending the base controller class, do the
following:
Listing 5-25

1 public function indexAction()
2 {
3
// retrieve the object from database
4
$product = ...;
5
if (!$product) {
6
throw $this->createNotFoundException('The product does not exist');
7
}

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 56

8
9
10 }

return $this->render(...);

The createNotFoundException() method creates a special NotFoundHttpException object, which
ultimately triggers a 404 HTTP response inside Symfony.
Of course, you're free to throw any Exception class in your controller - Symfony will automatically return
a 500 HTTP response code.
Listing 5-26

1 throw new \Exception('Something went wrong!');

In every case, a styled error page is shown to the end user and a full debug error page is shown to the
developer (when viewing the page in debug mode). Both of these error pages can be customized. For
details, read the "How to Customize Error Pages" cookbook recipe.

Managing the Session
Symfony provides a nice session object that you can use to store information about the user (be it a
real person using a browser, a bot, or a web service) between requests. By default, Symfony stores the
attributes in a cookie by using the native PHP sessions.
Storing and retrieving information from the session can be easily achieved from any controller:
Listing 5-27

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

use Symfony\Component\HttpFoundation\Request;
public function indexAction(Request $request)
{
$session = $request->getSession();

// store an attribute for reuse during a later user request
$session->set('foo', 'bar');
// get the attribute set by another controller in another request
$foobar = $session->get('foobar');
// use a default value if the attribute doesn't exist
$filters = $session->get('filters', array());
}

These attributes will remain on the user for the remainder of that user's session.

Flash Messages
You can also store small messages that will be stored on the user's session for exactly one additional
request. This is useful when processing a form: you want to redirect and have a special message shown
on the next request. These types of messages are called "flash" messages.
For example, imagine you're processing a form submit:
Listing 5-28

1 use Symfony\Component\HttpFoundation\Request;
2
3 public function updateAction(Request $request)
4 {
5
$form = $this->createForm(...);

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 57

6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21 }

$form->handleRequest($request);
if ($form->isValid()) {
// do some sort of processing
$this->get('session')->getFlashBag()->add(
'notice',
'Your changes were saved!'
);
return $this->redirect($this->generateUrl(...));
}
return $this->render(...);

After processing the request, the controller sets a notice flash message and then redirects. The name
(notice) isn't significant - it's just what you're using to identify the type of the message.
In the template of the next action, the following code could be used to render the notice message:
Listing 5-29

1 {% for flashMessage in app.session.flashbag.get('notice') %}
2
<div class="flash-notice">
3
{{ flashMessage }}
4
</div>
5 {% endfor %}

By design, flash messages are meant to live for exactly one request (they're "gone in a flash"). They're
designed to be used across redirects exactly as you've done in this example.

The Response Object
The only requirement for a controller is to return a Response object. The Response4 class is a PHP
abstraction around the HTTP response - the text-based message filled with HTTP headers and content
that's sent back to the client:
Listing 5-30

1
2
3
4
5
6
7
8

use Symfony\Component\HttpFoundation\Response;

// create a simple Response with a 200 status code (the default)
$response = new Response('Hello '.$name, 200);
// create a JSON-response with a 200 status code
$response = new Response(json_encode(array('name' => $name)));
$response->headers->set('Content-Type', 'application/json');

The headers property is a HeaderBag5 object with several useful methods for reading and mutating
the Response headers. The header names are normalized so that using Content-Type is equivalent
to content-type or even content_type.

4. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html
5. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/HeaderBag.html

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 58

There are also special classes to make certain kinds of responses easier:
• For JSON, there is JsonResponse6. See Creating a JSON Response.
• For files, there is BinaryFileResponse7. See Serving Files.

The Request Object
Besides the values of the routing placeholders, the controller also has access to the Request object. The
framework injects the Request object in the controller if a variable is type-hinted with Request8:
Listing 5-31

1
2
3
4
5
6
7
8
9
10
11
12

use Symfony\Component\HttpFoundation\Request;
public function indexAction(Request $request)
{
$request->isXmlHttpRequest(); // is it an Ajax request?
$request->getPreferredLanguage(array('en', 'fr'));
$request->query->get('page'); // get a $_GET parameter
$request->request->get('page'); // get a $_POST parameter
}

Like the Response object, the request headers are stored in a HeaderBag object and are easily accessible.

Final Thoughts
Whenever you create a page, you'll ultimately need to write some code that contains the logic for that
page. In Symfony, this is called a controller, and it's a PHP function that can do anything it needs in order
to return the final Response object that will be returned to the user.
To make life easier, you can choose to extend a base Controller class, which contains shortcut methods
for many common controller tasks. For example, since you don't want to put HTML code in your
controller, you can use the render() method to render and return the content from a template.
In other chapters, you'll see how the controller can be used to persist and fetch objects from a database,
process form submissions, handle caching and more.

Learn more from the Cookbook
• How to Customize Error Pages
• How to Define Controllers as Services

6. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/JsonResponse.html
7. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/BinaryFileResponse.html
8. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Request.html

PDF brought to you by
generated on October 9, 2014

Chapter 5: Controller | 59

Chapter 6

Routing
Beautiful URLs are an absolute must for any serious web application. This means leaving behind ugly
URLs like index.php?article_id=57 in favor of something like /read/intro-to-symfony.
Having flexibility is even more important. What if you need to change the URL of a page from /blog to
/news? How many links should you need to hunt down and update to make the change? If you're using
Symfony's router, the change is simple.
The Symfony router lets you define creative URLs that you map to different areas of your application. By
the end of this chapter, you'll be able to:





Create complex routes that map to controllers
Generate URLs inside templates and controllers
Load routing resources from bundles (or anywhere else)
Debug your routes

Routing in Action
A route is a map from a URL path to a controller. For example, suppose you want to match any URL like
/blog/my-post or /blog/all-about-symfony and send it to a controller that can look up and render
that blog entry. The route is simple:
Listing 6-1

1 # app/config/routing.yml
2 blog_show:
3
path:
/blog/{slug}
4
defaults: { _controller: AcmeBlogBundle:Blog:show }

New in version 2.2: The path option was introduced in Symfony 2.2, pattern is used in older
versions.

The path defined by the blog_show route acts like /blog/* where the wildcard is given the name slug.
For the URL /blog/my-blog-post, the slug variable gets a value of my-blog-post, which is available

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 60

for you to use in your controller (keep reading). The blog_show is the internal name of the route, which
doesn't have any meaning yet and just needs to be unique. Later, you'll use it to generate URLs.
The _controller parameter is a special key that tells Symfony which controller should be executed when
a URL matches this route. The _controller string is called the logical name. It follows a pattern that
points to a specific PHP class and method:
Listing 6-2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

// src/Acme/BlogBundle/Controller/BlogController.php
namespace Acme\BlogBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class BlogController extends Controller
{
public function showAction($slug)
{
// use the $slug variable to query the database
$blog = ...;
return $this->render('AcmeBlogBundle:Blog:show.html.twig', array(
'blog' => $blog,
));
}
}

Congratulations! You've just created your first route and connected it to a controller. Now, when you
visit /blog/my-post, the showAction controller will be executed and the $slug variable will be equal to
my-post.
This is the goal of the Symfony router: to map the URL of a request to a controller. Along the way, you'll
learn all sorts of tricks that make mapping even the most complex URLs easy.

Routing: Under the Hood
When a request is made to your application, it contains an address to the exact "resource" that the
client is requesting. This address is called the URL, (or URI), and could be /contact, /blog/read-me, or
anything else. Take the following HTTP request for example:
Listing 6-3

1 GET /blog/my-blog-post

The goal of the Symfony routing system is to parse this URL and determine which controller should be
executed. The whole process looks like this:
1. The request is handled by the Symfony front controller (e.g. app.php);
2. The Symfony core (i.e. Kernel) asks the router to inspect the request;
3. The router matches the incoming URL to a specific route and returns information about the
route, including the controller that should be executed;
4. The Symfony Kernel executes the controller, which ultimately returns a Response object.

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 61

The routing layer is a tool that translates the incoming URL into a specific controller to execute.

Creating Routes
Symfony loads all the routes for your application from a single routing configuration file. The file is
usually app/config/routing.yml, but can be configured to be anything (including an XML or PHP file)
via the application configuration file:
Listing 6-4

1 # app/config/config.yml
2 framework:
3
# ...
4
router:
{ resource: "%kernel.root_dir%/config/routing.yml" }

Even though all routes are loaded from a single file, it's common practice to include additional
routing resources. To do so, just point out in the main routing configuration file which external
files should be included. See the Including External Routing Resources section for more
information.

Basic Route Configuration
Defining a route is easy, and a typical application will have lots of routes. A basic route consists of just
two parts: the path to match and a defaults array:
Listing 6-5

1 # app/config/routing.yml
2 _welcome:
3
path:
/
4
defaults: { _controller: AcmeDemoBundle:Main:homepage }

This route matches the homepage (/) and maps it to the AcmeDemoBundle:Main:homepage controller.
The _controller string is translated by Symfony into an actual PHP function and executed. That process
will be explained shortly in the Controller Naming Pattern section.

Routing with Placeholders
Of course the routing system supports much more interesting routes. Many routes will contain one or
more named "wildcard" placeholders:
Listing 6-6

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 62

1 # app/config/routing.yml
2 blog_show:
3
path:
/blog/{slug}
4
defaults: { _controller: AcmeBlogBundle:Blog:show }

The path will match anything that looks like /blog/*. Even better, the value matching the {slug}
placeholder will be available inside your controller. In other words, if the URL is /blog/hello-world,
a $slug variable, with a value of hello-world, will be available in the controller. This can be used, for
example, to load the blog post matching that string.
The path will not, however, match simply /blog. That's because, by default, all placeholders are required.
This can be changed by adding a placeholder value to the defaults array.

Required and Optional Placeholders
To make things more exciting, add a new route that displays a list of all the available blog posts for this
imaginary blog application:
Listing 6-7

1 # app/config/routing.yml
2 blog:
3
path:
/blog
4
defaults: { _controller: AcmeBlogBundle:Blog:index }

So far, this route is as simple as possible - it contains no placeholders and will only match the exact URL
/blog. But what if you need this route to support pagination, where /blog/2 displays the second page of
blog entries? Update the route to have a new {page} placeholder:
Listing 6-8

1 # app/config/routing.yml
2 blog:
3
path:
/blog/{page}
4
defaults: { _controller: AcmeBlogBundle:Blog:index }

Like the {slug} placeholder before, the value matching {page} will be available inside your controller.
Its value can be used to determine which set of blog posts to display for the given page.
But hold on! Since placeholders are required by default, this route will no longer match on simply /blog.
Instead, to see page 1 of the blog, you'd need to use the URL /blog/1! Since that's no way for a rich web
app to behave, modify the route to make the {page} parameter optional. This is done by including it in
the defaults collection:
Listing 6-9

1 # app/config/routing.yml
2 blog:
3
path:
/blog/{page}
4
defaults: { _controller: AcmeBlogBundle:Blog:index, page: 1 }

By adding page to the defaults key, the {page} placeholder is no longer required. The URL /blog will
match this route and the value of the page parameter will be set to 1. The URL /blog/2 will also match,
giving the page parameter a value of 2. Perfect.
URL

route parameters

/blog

blog

{page} = 1

/blog/1

blog

{page} = 1

/blog/2

blog

{page} = 2

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 63

Of course, you can have more than one optional placeholder (e.g. /blog/{slug}/{page}), but
everything after an optional placeholder must be optional. For example, /{page}/blog is a valid
path, but page will always be required (i.e. simply /blog will not match this route).

Routes with optional parameters at the end will not match on requests with a trailing slash (i.e.
/blog/ will not match, /blog will match).

Adding Requirements
Take a quick look at the routes that have been created so far:
Listing 6-10

1 # app/config/routing.yml
2 blog:
3
path:
/blog/{page}
4
defaults: { _controller: AcmeBlogBundle:Blog:index, page: 1 }
5
6 blog_show:
7
path:
/blog/{slug}
8
defaults: { _controller: AcmeBlogBundle:Blog:show }

Can you spot the problem? Notice that both routes have patterns that match URLs that look like
/blog/*. The Symfony router will always choose the first matching route it finds. In other words, the
blog_show route will never be matched. Instead, a URL like /blog/my-blog-post will match the first
route (blog) and return a nonsense value of my-blog-post to the {page} parameter.
URL

route parameters

/blog/2

blog

{page} = 2

/blog/my-blog-post

blog

{page} = my-blog-post

The answer to the problem is to add route requirements. The routes in this example would work perfectly
if the /blog/{page} path only matched URLs where the {page} portion is an integer. Fortunately,
regular expression requirements can easily be added for each parameter. For example:
Listing 6-11

1 # app/config/routing.yml
2 blog:
3
path:
/blog/{page}
4
defaults: { _controller: AcmeBlogBundle:Blog:index, page: 1 }
5
requirements:
6
page: \d+

The \d+ requirement is a regular expression that says that the value of the {page} parameter must be a
digit (i.e. a number). The blog route will still match on a URL like /blog/2 (because 2 is a number), but
it will no longer match a URL like /blog/my-blog-post (because my-blog-post is not a number).
As a result, a URL like /blog/my-blog-post will now properly match the blog_show route.
URL

route

parameters

/blog/2

blog

{page} = 2

/blog/my-blog-post

blog_show {slug} = my-blog-post

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 64

URL

route

parameters

/blog/2-my-blog-post

blog_show {slug} = 2-my-blog-post

Earlier Routes always Win
What this all means is that the order of the routes is very important. If the blog_show route were
placed above the blog route, the URL /blog/2 would match blog_show instead of blog since
the {slug} parameter of blog_show has no requirements. By using proper ordering and clever
requirements, you can accomplish just about anything.

Since the parameter requirements are regular expressions, the complexity and flexibility of each
requirement is entirely up to you. Suppose the homepage of your application is available in two different
languages, based on the URL:
Listing 6-12

1 # app/config/routing.yml
2 homepage:
3
path:
/{culture}
4
defaults: { _controller: AcmeDemoBundle:Main:homepage, culture: en }
5
requirements:
6
culture: en|fr

For incoming requests, the {culture} portion of the URL is matched against the regular expression
(en|fr).
/

{culture} = en

/en {culture} = en
/fr

{culture} = fr

/es

won't match this route

Adding HTTP Method Requirements
In addition to the URL, you can also match on the method of the incoming request (i.e. GET, HEAD,
POST, PUT, DELETE). Suppose you have a contact form with two controllers - one for displaying the
form (on a GET request) and one for processing the form when it's submitted (on a POST request). This
can be accomplished with the following route configuration:
Listing 6-13

1 # app/config/routing.yml
2 contact:
3
path:
/contact
4
defaults: { _controller: AcmeDemoBundle:Main:contact }
5
methods: [GET]
6
7 contact_process:
8
path:
/contact
9
defaults: { _controller: AcmeDemoBundle:Main:contactProcess }
10
methods: [POST]

New in version 2.2: The methods option was introduced in Symfony 2.2. Use the _method
requirement in older versions.

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 65

Despite the fact that these two routes have identical paths (/contact), the first route will match only
GET requests and the second route will match only POST requests. This means that you can display the
form and submit the form via the same URL, while using distinct controllers for the two actions.
If no methods are specified, the route will match on all methods.

Adding a Host Requirement
New in version 2.2: Host matching support was introduced in Symfony 2.2

You can also match on the HTTP host of the incoming request. For more information, see How to Match
a Route Based on the Host in the Routing component documentation.

Advanced Routing Example
At this point, you have everything you need to create a powerful routing structure in Symfony. The
following is an example of just how flexible the routing system can be:
Listing 6-14

1 # app/config/routing.yml
2 article_show:
3
path:
/articles/{culture}/{year}/{title}.{_format}
4
defaults: { _controller: AcmeDemoBundle:Article:show, _format: html }
5
requirements:
6
culture: en|fr
7
_format: html|rss
8
year:
\d+

As you've seen, this route will only match if the {culture} portion of the URL is either en or fr and if
the {year} is a number. This route also shows how you can use a dot between placeholders instead of a
slash. URLs matching this route might look like:
• /articles/en/2010/my-post
• /articles/fr/2010/my-post.rss
• /articles/en/2013/my-latest-post.html

The Special _format Routing Parameter
This example also highlights the special _format routing parameter. When using this parameter,
the matched value becomes the "request format" of the Request object. Ultimately, the request
format is used for such things such as setting the Content-Type of the response (e.g. a json request
format translates into a Content-Type of application/json). It can also be used in the controller
to render a different template for each value of _format. The _format parameter is a very powerful
way to render the same content in different formats.

Sometimes you want to make certain parts of your routes globally configurable. Symfony provides
you with a way to do this by leveraging service container parameters. Read more about this in
"How to Use Service Container Parameters in your Routes".

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 66

Special Routing Parameters
As you've seen, each routing parameter or default value is eventually available as an argument in the
controller method. Additionally, there are three parameters that are special: each adds a unique piece of
functionality inside your application:
• _controller: As you've seen, this parameter is used to determine which controller is executed
when the route is matched;
• _format: Used to set the request format (read more);
• _locale: Used to set the locale on the request (read more).

Controller Naming Pattern
Every route must have a _controller parameter, which dictates which controller should be executed
when that route is matched. This parameter uses a simple string pattern called the logical controller name,
which Symfony maps to a specific PHP method and class. The pattern has three parts, each separated by
a colon:
bundle:controller:action
For example, a _controller value of AcmeBlogBundle:Blog:show means:
Bundle

Controller Class

Method Name

AcmeBlogBundle

BlogController

showAction

The controller might look like this:
Listing 6-15

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/BlogBundle/Controller/BlogController.php
namespace Acme\BlogBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
class BlogController extends Controller
{
public function showAction($slug)
{
// ...
}
}

Notice that Symfony adds the string Controller to the class name (Blog => BlogController) and
Action to the method name (show => showAction).
You could also refer to this controller using its fully-qualified class name and method:
Acme\BlogBundle\Controller\BlogController::showAction. But if you follow some simple
conventions, the logical name is more concise and allows more flexibility.
In addition to using the logical name or the fully-qualified class name, Symfony supports a
third way of referring to a controller. This method uses just one colon separator (e.g.
service_name:indexAction) and refers to the controller as a service (see How to Define
Controllers as Services).

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 67

Route Parameters and Controller Arguments
The route parameters (e.g. {slug}) are especially important because each is made available as an
argument to the controller method:
Listing 6-16

1 public function showAction($slug)
2 {
3
// ...
4 }

In reality, the entire defaults collection is merged with the parameter values to form a single array. Each
key of that array is available as an argument on the controller.
In other words, for each argument of your controller method, Symfony looks for a route parameter of
that name and assigns its value to that argument. In the advanced example above, any combination (in
any order) of the following variables could be used as arguments to the showAction() method:






$culture
$year
$title
$_format
$_controller

Since the placeholders and defaults collection are merged together, even the $_controller variable is
available. For a more detailed discussion, see Route Parameters as Controller Arguments.
You can also use a special $_route variable, which is set to the name of the route that was matched.

You can even add extra information to your route definition and access it within your controller. For
more information on this topic, see How to Pass Extra Information from a Route to a Controller.

Including External Routing Resources
All routes are loaded via a single configuration file - usually app/config/routing.yml (see Creating
Routes above). Commonly, however, you'll want to load routes from other places, like a routing file that
lives inside a bundle. This can be done by "importing" that file:
Listing 6-17

1 # app/config/routing.yml
2 acme_hello:
3
resource: "@AcmeHelloBundle/Resources/config/routing.yml"

When importing resources from YAML, the key (e.g. acme_hello) is meaningless. Just be sure that
it's unique so no other lines override it.

The resource key loads the given routing resource. In this example the resource is the full path to a
file, where the @AcmeHelloBundle shortcut syntax resolves to the path of that bundle. The imported file
might look like this:
Listing 6-18

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 68

1 # src/Acme/HelloBundle/Resources/config/routing.yml
2 acme_hello:
3
path:
/hello/{name}
4
defaults: { _controller: AcmeHelloBundle:Hello:index }

The routes from this file are parsed and loaded in the same way as the main routing file.

Prefixing Imported Routes
You can also choose to provide a "prefix" for the imported routes. For example, suppose you want the
acme_hello route to have a final path of /admin/hello/{name} instead of simply /hello/{name}:
Listing 6-19

1 # app/config/routing.yml
2 acme_hello:
3
resource: "@AcmeHelloBundle/Resources/config/routing.yml"
4
prefix:
/admin

The string /admin will now be prepended to the path of each route loaded from the new routing resource.
You can also define routes using annotations. See the FrameworkExtraBundle documentation to see
how.

Adding a Host Requirement to Imported Routes
New in version 2.2: Host matching support was introduced in Symfony 2.2

You can set the host regex on imported routes. For more information, see Using Host Matching of
Imported Routes.

Visualizing & Debugging Routes
While adding and customizing routes, it's helpful to be able to visualize and get detailed information
about your routes. A great way to see every route in your application is via the router:debug console
command. Execute the command by running the following from the root of your project.
Listing 6-20

1 $ php app/console router:debug

This command will print a helpful list of all the configured routes in your application:
Listing 6-21

1
2
3
4
5
6

homepage
contact
contact_process
article_show
blog
blog_show

PDF brought to you by
generated on October 9, 2014

ANY
GET
POST
ANY
ANY
ANY

/
/contact
/contact
/articles/{culture}/{year}/{title}.{_format}
/blog/{page}
/blog/{slug}

Chapter 6: Routing | 69

You can also get very specific information on a single route by including the route name after the
command:
Listing 6-22

1 $ php app/console router:debug article_show

Likewise, if you want to test whether a URL matches a given route, you can use the router:match
console command:
Listing 6-23

1 $ php app/console router:match /blog/my-latest-post

This command will print which route the URL matches.
Listing 6-24

1 Route "blog_show" matches

Generating URLs
The routing system should also be used to generate URLs. In reality, routing is a bidirectional system:
mapping the URL to a controller+parameters and a route+parameters back to a URL. The match()1 and
generate()2 methods form this bidirectional system. Take the blog_show example route from earlier:
Listing 6-25

1
2
3
4
5
6
7
8

$params = $this->get('router')->match('/blog/my-blog-post');
// array(
//
'slug'
=> 'my-blog-post',
//
'_controller' => 'AcmeBlogBundle:Blog:show',
// )
$uri = $this->get('router')->generate('blog_show', array('slug' => 'my-blog-post'));
// /blog/my-blog-post

To generate a URL, you need to specify the name of the route (e.g. blog_show) and any wildcards (e.g.
slug = my-blog-post) used in the path for that route. With this information, any URL can easily be
generated:
Listing 6-26

1 class MainController extends Controller
2 {
3
public function showAction($slug)
4
{
5
// ...
6
7
$url = $this->generateUrl(
8
'blog_show',
9
array('slug' => 'my-blog-post')
10
);
11
}
12 }

1. http://api.symfony.com/2.3/Symfony/Component/Routing/Router.html#match()
2. http://api.symfony.com/2.3/Symfony/Component/Routing/Router.html#generate()

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 70

In controllers that don't extend Symfony's base Controller3, you can use the router service's
generate()4 method:
Listing 6-27

1
2
3
4
5
6
7
8
9
10
11
12
13
14

use Symfony\Component\DependencyInjection\ContainerAware;
class MainController extends ContainerAware
{
public function showAction($slug)
{
// ...
$url = $this->container->get('router')->generate(
'blog_show',
array('slug' => 'my-blog-post')
);
}
}

In an upcoming section, you'll learn how to generate URLs from inside templates.
If the frontend of your application uses Ajax requests, you might want to be able to generate URLs
in JavaScript based on your routing configuration. By using the FOSJsRoutingBundle5, you can do
exactly that:
Listing 6-28

1 var url = Routing.generate(
2
'blog_show',
3
{"slug": 'my-blog-post'}
4 );

For more information, see the documentation for that bundle.

Generating URLs with Query Strings
The generate method takes an array of wildcard values to generate the URI. But if you pass extra ones,
they will be added to the URI as a query string:
Listing 6-29

1 $this->get('router')->generate('blog', array('page' => 2, 'category' => 'Symfony'));
2 // /blog/2?category=Symfony

Generating URLs from a Template
The most common place to generate a URL is from within a template when linking between pages in
your application. This is done just as before, but using a template helper function:
Listing 6-30

1 <a href="{{ path('blog_show', {'slug': 'my-blog-post'}) }}">
2
Read this blog post.
3 </a>

3. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Controller/Controller.html
4. http://api.symfony.com/2.3/Symfony/Component/Routing/Router.html#generate()
5. https://github.com/FriendsOfSymfony/FOSJsRoutingBundle

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 71

Generating Absolute URLs
By default, the router will generate relative URLs (e.g. /blog). From a controller, simply pass true to the
third argument of the generateUrl() method:
Listing 6-31

1 $this->generateUrl('blog_show', array('slug' => 'my-blog-post'), true);
2 // http://www.example.com/blog/my-blog-post

From a template, in Twig, simply use the url() function (which generates an absolute URL) rather than
the path() function (which generates a relative URL). In PHP, pass true to generateUrl():
Listing 6-32

1 <a href="{{ url('blog_show', {'slug': 'my-blog-post'}) }}">
2
Read this blog post.
3 </a>

The host that's used when generating an absolute URL is automatically detected using the current
Request object. When generating absolute URLs from outside the web context (for instance in a
console command) this doesn't work. See How to Generate URLs and Send Emails from the Console
to learn how to solve this problem.

Summary
Routing is a system for mapping the URL of incoming requests to the controller function that should be
called to process the request. It both allows you to specify beautiful URLs and keeps the functionality
of your application decoupled from those URLs. Routing is a bidirectional mechanism, meaning that it
should also be used to generate URLs.

Learn more from the Cookbook
• How to Force Routes to always Use HTTPS or HTTP

PDF brought to you by
generated on October 9, 2014

Chapter 6: Routing | 72

Chapter 7

Creating and Using Templates
As you know, the controller is responsible for handling each request that comes into a Symfony
application. In reality, the controller delegates most of the heavy work to other places so that code can
be tested and reused. When a controller needs to generate HTML, CSS or any other content, it hands
the work off to the templating engine. In this chapter, you'll learn how to write powerful templates that
can be used to return content to the user, populate email bodies, and more. You'll learn shortcuts, clever
ways to extend templates and how to reuse template code.
How to render templates is covered in the controller page of the book.

Templates
A template is simply a text file that can generate any text-based format (HTML, XML, CSV, LaTeX ...).
The most familiar type of template is a PHP template - a text file parsed by PHP that contains a mix of
text and PHP code:
Listing 7-1

1 <!DOCTYPE html>
2 <html>
3
<head>
4
<title>Welcome to Symfony!</title>
5
</head>
6
<body>
7
<h1><?php echo $page_title ?></h1>
8
9
<ul id="navigation">
10
<?php foreach ($navigation as $item): ?>
11
<li>
12
<a href="<?php echo $item->getHref() ?>">
13
<?php echo $item->getCaption() ?>
14
</a>
15
</li>

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 73

16
<?php endforeach; ?>
17
</ul>
18
</body>
19 </html>

But Symfony packages an even more powerful templating language called Twig1. Twig allows you to write
concise, readable templates that are more friendly to web designers and, in several ways, more powerful
than PHP templates:
Listing 7-2

1 <!DOCTYPE html>
2 <html>
3
<head>
4
<title>Welcome to Symfony!</title>
5
</head>
6
<body>
7
<h1>{{ page_title }}</h1>
8
9
<ul id="navigation">
10
{% for item in navigation %}
11
<li><a href="{{ item.href }}">{{ item.caption }}</a></li>
12
{% endfor %}
13
</ul>
14
</body>
15 </html>

Twig defines three types of special syntax:
• {{ ... }}: "Says something": prints a variable or the result of an expression to the template;
• {% ... %}: "Does something": a tag that controls the logic of the template; it is used to execute
statements such as for-loops for example.
• {# ... #}: "Comment something": it's the equivalent of the PHP /* comment */ syntax. It's
used to add single or multi-line comments. The content of the comments isn't included in the
rendered pages.
Twig also contains filters, which modify content before being rendered. The following makes the title
variable all uppercase before rendering it:
Listing 7-3

1 {{ title|upper }}

Twig comes with a long list of tags2 and filters3 that are available by default. You can even add your own
extensions4 to Twig as needed.
Registering a Twig extension is as easy as creating a new service and tagging it with
twig.extension tag.

As you'll see throughout the documentation, Twig also supports functions and new functions can be
easily added. For example, the following uses a standard for tag and the cycle function to print ten div
tags, with alternating odd, even classes:
Listing 7-4

1. http://twig.sensiolabs.org
2. http://twig.sensiolabs.org/doc/tags/index.html
3. http://twig.sensiolabs.org/doc/filters/index.html
4. http://twig.sensiolabs.org/doc/advanced.html#creating-an-extension

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 74

1 {% for i in 0..10 %}
2
<div class="{{ cycle(['odd', 'even'], i) }}">
3
<!-- some HTML here -->
4
</div>
5 {% endfor %}

Throughout this chapter, template examples will be shown in both Twig and PHP.
If you do choose to not use Twig and you disable it, you'll need to implement your own exception
handler via the kernel.exception event.

Why Twig?
Twig templates are meant to be simple and won't process PHP tags. This is by design: the Twig
template system is meant to express presentation, not program logic. The more you use Twig, the
more you'll appreciate and benefit from this distinction. And of course, you'll be loved by web
designers everywhere.
Twig can also do things that PHP can't, such as whitespace control, sandboxing, automatic and
contextual output escaping, and the inclusion of custom functions and filters that only affect
templates. Twig contains little features that make writing templates easier and more concise. Take
the following example, which combines a loop with a logical if statement:
Listing 7-5

1 <ul>
2
{% for user in users if user.active %}
3
<li>{{ user.username }}</li>
4
{% else %}
5
<li>No users found</li>
6
{% endfor %}
7 </ul>

Twig Template Caching
Twig is fast. Each Twig template is compiled down to a native PHP class that is rendered at runtime. The
compiled classes are located in the app/cache/{environment}/twig directory (where {environment}
is the environment, such as dev or prod) and in some cases can be useful while debugging. See
Environments for more information on environments.
When debug mode is enabled (common in the dev environment), a Twig template will be automatically
recompiled when changes are made to it. This means that during development you can happily make
changes to a Twig template and instantly see the changes without needing to worry about clearing any
cache.
When debug mode is disabled (common in the prod environment), however, you must clear the Twig
cache directory so that the Twig templates will regenerate. Remember to do this when deploying your
application.

Template Inheritance and Layouts
More often than not, templates in a project share common elements, like the header, footer, sidebar or
more. In Symfony, this problem is thought about differently: a template can be decorated by another
one. This works exactly the same as PHP classes: template inheritance allows you to build a base "layout"
PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 75

template that contains all the common elements of your site defined as blocks (think "PHP class with
base methods"). A child template can extend the base layout and override any of its blocks (think "PHP
subclass that overrides certain methods of its parent class").
First, build a base layout file:
Listing 7-6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

{# app/Resources/views/base.html.twig #}
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>{% block title %}Test Application{% endblock %}</title>
</head>
<body>
<div id="sidebar">
{% block sidebar %}
<ul>
<li><a href="/">Home</a></li>
<li><a href="/blog">Blog</a></li>
</ul>
{% endblock %}
</div>
<div id="content">
{% block body %}{% endblock %}
</div>
</body>
</html>

Though the discussion about template inheritance will be in terms of Twig, the philosophy is the
same between Twig and PHP templates.

This template defines the base HTML skeleton document of a simple two-column page. In this example,
three {% block %} areas are defined (title, sidebar and body). Each block may be overridden by a child
template or left with its default implementation. This template could also be rendered directly. In that
case the title, sidebar and body blocks would simply retain the default values used in this template.
A child template might look like this:
Listing 7-7

1
2
3
4
5
6
7
8
9
10
11

{# src/Acme/BlogBundle/Resources/views/Blog/index.html.twig #}
{% extends '::base.html.twig' %}
{% block title %}My cool blog posts{% endblock %}
{% block body %}
{% for entry in blog_entries %}
<h2>{{ entry.title }}</h2>
<p>{{ entry.body }}</p>
{% endfor %}
{% endblock %}

The parent template is identified by a special string syntax (::base.html.twig) that indicates that
the template lives in the app/Resources/views directory of the project. This naming convention
is explained fully in Template Naming and Locations.

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 76

The key to template inheritance is the {% extends %} tag. This tells the templating engine to first
evaluate the base template, which sets up the layout and defines several blocks. The child template is
then rendered, at which point the title and body blocks of the parent are replaced by those from the
child. Depending on the value of blog_entries, the output might look like this:
Listing 7-8

1 <!DOCTYPE html>
2 <html>
3
<head>
4
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5
<title>My cool blog posts</title>
6
</head>
7
<body>
8
<div id="sidebar">
9
<ul>
10
<li><a href="/">Home</a></li>
11
<li><a href="/blog">Blog</a></li>
12
</ul>
13
</div>
14
15
<div id="content">
16
<h2>My first post</h2>
17
<p>The body of the first post.</p>
18
19
<h2>Another post</h2>
20
<p>The body of the second post.</p>
21
</div>
22
</body>
23 </html>

Notice that since the child template didn't define a sidebar block, the value from the parent template is
used instead. Content within a {% block %} tag in a parent template is always used by default.
You can use as many levels of inheritance as you want. In the next section, a common three-level
inheritance model will be explained along with how templates are organized inside a Symfony project.
When working with template inheritance, here are some tips to keep in mind:
• If you use {% extends %} in a template, it must be the first tag in that template;
• The more {% block %} tags you have in your base templates, the better. Remember, child
templates don't have to define all parent blocks, so create as many blocks in your base
templates as you want and give each a sensible default. The more blocks your base templates
have, the more flexible your layout will be;
• If you find yourself duplicating content in a number of templates, it probably means you
should move that content to a {% block %} in a parent template. In some cases, a better
solution may be to move the content to a new template and include it (see Including other
Templates);
• If you need to get the content of a block from the parent template, you can use the {{
parent() }} function. This is useful if you want to add to the contents of a parent block
instead of completely overriding it:

Listing 7-9

1 {% block sidebar %}
2
<h3>Table of Contents</h3>
3
4
{# ... #}
5

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 77

6
{{ parent() }}
7 {% endblock %}

Template Naming and Locations
New in version 2.2: Namespaced path support was introduced in 2.2, allowing for template names
like @AcmeDemo/layout.html.twig. See How to Use and Register Namespaced Twig Paths for more
details.

By default, templates can live in two different locations:
• app/Resources/views/: The applications views directory can contain application-wide base
templates (i.e. your application's layouts) as well as templates that override bundle templates
(see Overriding Bundle Templates);
• path/to/bundle/Resources/views/: Each bundle houses its templates in its Resources/
views directory (and subdirectories). The majority of templates will live inside a bundle.
Symfony uses a bundle:controller:template string syntax for templates. This allows for several different
types of templates, each which lives in a specific location:
• AcmeBlogBundle:Blog:index.html.twig: This syntax is used to specify a template for a
specific page. The three parts of the string, each separated by a colon (:), mean the following:
• AcmeBlogBundle: (bundle) the template lives inside the AcmeBlogBundle (e.g. src/
Acme/BlogBundle);
• Blog: (controller) indicates that the template lives inside the Blog subdirectory of
Resources/views;
• index.html.twig: (template) the actual name of the file is index.html.twig.
Assuming that the AcmeBlogBundle lives at src/Acme/BlogBundle, the final path to the layout
would be src/Acme/BlogBundle/Resources/views/Blog/index.html.twig.
• AcmeBlogBundle::layout.html.twig: This syntax refers to a base template that's specific
to the AcmeBlogBundle. Since the middle, "controller", portion is missing (e.g. Blog), the
template lives at Resources/views/layout.html.twig inside AcmeBlogBundle.
• ::base.html.twig: This syntax refers to an application-wide base template or layout. Notice
that the string begins with two colons (::), meaning that both the bundle and controller
portions are missing. This means that the template is not located in any bundle, but instead in
the root app/Resources/views/ directory.
In the Overriding Bundle Templates section, you'll find out how each template living inside the
AcmeBlogBundle, for example, can be overridden by placing a template of the same name in the app/
Resources/AcmeBlogBundle/views/ directory. This gives the power to override templates from any
vendor bundle.
Hopefully the template naming syntax looks familiar - it's the same naming convention used to
refer to Controller Naming Pattern.

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 78

Template Suffix
The bundle:controller:template format of each template specifies where the template file is located.
Every template name also has two extensions that specify the format and engine for that template.
• AcmeBlogBundle:Blog:index.html.twig - HTML format, Twig engine
• AcmeBlogBundle:Blog:index.html.php - HTML format, PHP engine
• AcmeBlogBundle:Blog:index.css.twig - CSS format, Twig engine
By default, any Symfony template can be written in either Twig or PHP, and the last part of the extension
(e.g. .twig or .php) specifies which of these two engines should be used. The first part of the extension,
(e.g. .html, .css, etc) is the final format that the template will generate. Unlike the engine, which
determines how Symfony parses the template, this is simply an organizational tactic used in case the
same resource needs to be rendered as HTML (index.html.twig), XML (index.xml.twig), or any other
format. For more information, read the Template Formats section.
The available "engines" can be configured and even new engines added. See Templating
Configuration for more details.

Tags and Helpers
You already understand the basics of templates, how they're named and how to use template inheritance.
The hardest parts are already behind you. In this section, you'll learn about a large group of tools available
to help perform the most common template tasks such as including other templates, linking to pages and
including images.
Symfony comes bundled with several specialized Twig tags and functions that ease the work of the
template designer. In PHP, the templating system provides an extensible helper system that provides
useful features in a template context.
You've already seen a few built-in Twig tags ({% block %} & {% extends %}) as well as an example of a
PHP helper ($view['slots']). Here you will learn a few more.

Including other Templates
You'll often want to include the same template or code fragment on several different pages. For example,
in an application with "news articles", the template code displaying an article might be used on the article
detail page, on a page displaying the most popular articles, or in a list of the latest articles.
When you need to reuse a chunk of PHP code, you typically move the code to a new PHP class or
function. The same is true for templates. By moving the reused template code into its own template, it
can be included from any other template. First, create the template that you'll need to reuse.
Listing 7-10

1
2
3
4
5
6
7

{# src/Acme/ArticleBundle/Resources/views/Article/articleDetails.html.twig #}
<h2>{{ article.title }}</h2>
<h3 class="byline">by {{ article.authorName }}</h3>
<p>
{{ article.body }}
</p>

Including this template from any other template is simple:
Listing 7-11

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 79

1
2
3
4
5
6
7
8
9
10
11
12
13

{# src/Acme/ArticleBundle/Resources/views/Article/list.html.twig #}
{% extends 'AcmeArticleBundle::layout.html.twig' %}
{% block body %}
<h1>Recent Articles<h1>
{% for article in articles %}
{{ include(
'AcmeArticleBundle:Article:articleDetails.html.twig',
{ 'article': article }
) }}
{% endfor %}
{% endblock %}

The template is included using the {{ include() }} function. Notice that the template name follows
the same typical convention. The articleDetails.html.twig template uses an article variable, which
we pass to it. In this case, you could avoid doing this entirely, as all of the variables available in
list.html.twig are also available in articleDetails.html.twig (unless you set with_context5 to false).
The {'article': article} syntax is the standard Twig syntax for hash maps (i.e. an array with
named keys). If you needed to pass in multiple elements, it would look like this: {'foo': foo,
'bar': bar}.

New in version 2.2: The include() function6 is a new Twig feature that's available in Symfony 2.2.
Prior, the {% include %} tag7 tag was used.

Embedding Controllers
In some cases, you need to do more than include a simple template. Suppose you have a sidebar in your
layout that contains the three most recent articles. Retrieving the three articles may include querying the
database or performing other heavy logic that can't be done from within a template.
The solution is to simply embed the result of an entire controller from your template. First, create a
controller that renders a certain number of recent articles:
Listing 7-12

1 // src/Acme/ArticleBundle/Controller/ArticleController.php
2 class ArticleController extends Controller
3 {
4
public function recentArticlesAction($max = 3)
5
{
6
// make a database call or other logic
7
// to get the "$max" most recent articles
8
$articles = ...;
9
10
return $this->render(
11
'AcmeArticleBundle:Article:recentList.html.twig',
12
array('articles' => $articles)
13
);

5. http://twig.sensiolabs.org/doc/functions/include.html
6. http://twig.sensiolabs.org/doc/functions/include.html
7. http://twig.sensiolabs.org/doc/tags/include.html

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 80

14
15 }

}

The recentList template is perfectly straightforward:
Listing 7-13

1 {# src/Acme/ArticleBundle/Resources/views/Article/recentList.html.twig #}
2 {% for article in articles %}
3
<a href="/article/{{ article.slug }}">
4
{{ article.title }}
5
</a>
6 {% endfor %}

Notice that the article URL is hardcoded in this example (e.g. /article/*slug*). This is a bad
practice. In the next section, you'll learn how to do this correctly.

To include the controller, you'll need to refer to it using the standard string syntax for controllers (i.e.
bundle:controller:action):
Listing 7-14

1
2
3
4
5
6
7
8

{# app/Resources/views/base.html.twig #}
{# ... #}
<div id="sidebar">
{{ render(controller('AcmeArticleBundle:Article:recentArticles', {
'max': 3
})) }}
</div>

Whenever you find that you need a variable or a piece of information that you don't have access to
in a template, consider rendering a controller. Controllers are fast to execute and promote good code
organization and reuse. Of course, like all controllers, they should ideally be "skinny", meaning that as
much code as possible lives in reusable services.

Asynchronous Content with hinclude.js
New in version 2.1: hinclude.js support was introduced in Symfony 2.1

Controllers can be embedded asynchronously using the hinclude.js8 JavaScript library. As the embedded
content comes from another page (or controller for that matter), Symfony uses a version of the standard
render function to configure hinclude tags:
Listing 7-15

1 {{ render_hinclude(controller('...')) }}
2 {{ render_hinclude(url('...')) }}

8. http://mnot.github.com/hinclude/

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 81

hinclude.js9 needs to be included in your page to work.

When using a controller instead of a URL, you must enable the Symfony fragments configuration:
Listing 7-16

1 # app/config/config.yml
2 framework:
3
# ...
4
fragments: { path: /_fragment }

Default content (while loading or if JavaScript is disabled) can be set globally in your application
configuration:
Listing 7-17

1 # app/config/config.yml
2 framework:
3
# ...
4
templating:
5
hinclude_default_template: AcmeDemoBundle::hinclude.html.twig

New in version 2.2: Default templates per render function was introduced in Symfony 2.2

You can define default templates per render function (which will override any global default template
that is defined):
Listing 7-18

1 {{ render_hinclude(controller('...'), {
2
'default': 'AcmeDemoBundle:Default:content.html.twig'
3 }) }}

Or you can also specify a string to display as the default content:
Listing 7-19

1 {{ render_hinclude(controller('...'), {'default': 'Loading...'}) }}

Linking to Pages
Creating links to other pages in your application is one of the most common jobs for a template. Instead
of hardcoding URLs in templates, use the path Twig function (or the router helper in PHP) to generate
URLs based on the routing configuration. Later, if you want to modify the URL of a particular page, all
you'll need to do is change the routing configuration; the templates will automatically generate the new
URL.
First, link to the "_welcome" page, which is accessible via the following routing configuration:
Listing 7-20

1 # app/config/routing.yml
2 _welcome:

9. http://mnot.github.com/hinclude/

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 82

3
4

path:
/
defaults: { _controller: AcmeDemoBundle:Welcome:index }

To link to the page, just use the path Twig function and refer to the route:
Listing 7-21

1 <a href="{{ path('_welcome') }}">Home</a>

As expected, this will generate the URL /. Now, for a more complicated route:
Listing 7-22

1 # app/config/routing.yml
2 article_show:
3
path:
/article/{slug}
4
defaults: { _controller: AcmeArticleBundle:Article:show }

In this case, you need to specify both the route name (article_show) and a value for the {slug}
parameter. Using this route, revisit the recentList template from the previous section and link to the
articles correctly:
Listing 7-23

1 {# src/Acme/ArticleBundle/Resources/views/Article/recentList.html.twig #}
2 {% for article in articles %}
3
<a href="{{ path('article_show', {'slug': article.slug}) }}">
4
{{ article.title }}
5
</a>
6 {% endfor %}

You can also generate an absolute URL by using the url Twig function:
Listing 7-24

1 <a href="{{ url('_welcome') }}">Home</a>

The same can be done in PHP templates by passing a third argument to the generate() method:
Listing 7-25

1 <a href="<?php echo $view['router']->generate(
2
'_welcome',
3
array(),
4
true
5 ) ?>">Home</a>

Linking to Assets
Templates also commonly refer to images, JavaScript, stylesheets and other assets. Of course you could
hard-code the path to these assets (e.g. /images/logo.png), but Symfony provides a more dynamic
option via the asset Twig function:
Listing 7-26

1 <img src="{{ asset('images/logo.png') }}" alt="Symfony!" />
2
3 <link href="{{ asset('css/blog.css') }}" rel="stylesheet" type="text/css" />

The asset function's main purpose is to make your application more portable. If your application lives at
the root of your host (e.g. http://example.com10), then the rendered paths should be /images/logo.png.
10. http://example.com

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 83

But if your application lives in a subdirectory (e.g. http://example.com/my_app11), each asset path should
render with the subdirectory (e.g. /my_app/images/logo.png). The asset function takes care of this by
determining how your application is being used and generating the correct paths accordingly.
Additionally, if you use the asset function, Symfony can automatically append a query string to your
asset, in order to guarantee that updated static assets won't be cached when deployed. For example,
/images/logo.png might look like /images/logo.png?v2. For more information, see the assets_version
configuration option.

Including Stylesheets and JavaScripts in Twig
No site would be complete without including JavaScript files and stylesheets. In Symfony, the inclusion
of these assets is handled elegantly by taking advantage of Symfony's template inheritance.
This section will teach you the philosophy behind including stylesheet and JavaScript assets in
Symfony. Symfony also packages another library, called Assetic, which follows this philosophy but
allows you to do much more interesting things with those assets. For more information on using
Assetic see How to Use Assetic for Asset Management.

Start by adding two blocks to your base template that will hold your assets: one called stylesheets
inside the head tag and another called javascripts just above the closing body tag. These blocks will
contain all of the stylesheets and JavaScripts that you'll need throughout your site:
Listing 7-27

1 {# app/Resources/views/base.html.twig #}
2 <html>
3
<head>
4
{# ... #}
5
6
{% block stylesheets %}
7
<link href="{{ asset('css/main.css') }}" rel="stylesheet" />
8
{% endblock %}
9
</head>
10
<body>
11
{# ... #}
12
13
{% block javascripts %}
14
<script src="{{ asset('js/main.js') }}"></script>
15
{% endblock %}
16
</body>
17 </html>

That's easy enough! But what if you need to include an extra stylesheet or JavaScript from a child
template? For example, suppose you have a contact page and you need to include a contact.css
stylesheet just on that page. From inside that contact page's template, do the following:
Listing 7-28

1
2
3
4
5
6
7
8

{# src/Acme/DemoBundle/Resources/views/Contact/contact.html.twig #}
{% extends '::base.html.twig' %}
{% block stylesheets %}
{{ parent() }}
<link href="{{ asset('css/contact.css') }}" rel="stylesheet" />
{% endblock %}

11. http://example.com/my_app

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 84

9
10 {# ... #}

In the child template, you simply override the stylesheets block and put your new stylesheet tag inside
of that block. Of course, since you want to add to the parent block's content (and not actually replace
it), you should use the parent() Twig function to include everything from the stylesheets block of the
base template.
You can also include assets located in your bundles' Resources/public folder. You will need to run the
php app/console assets:install target [--symlink] command, which moves (or symlinks) files
into the correct location. (target is by default "web").
Listing 7-29

1 <link href="{{ asset('bundles/acmedemo/css/contact.css') }}" rel="stylesheet" />

The end result is a page that includes both the main.css and contact.css stylesheets.

Global Template Variables
During each request, Symfony will set a global template variable app in both Twig and PHP template
engines by default. The app variable is a GlobalVariables12 instance which will give you access to some
application specific variables automatically:






Listing 7-30

app.security - The security context.
app.user - The current user object.
app.request - The request object.
app.session - The session object.
app.environment - The current environment (dev, prod, etc).
app.debug - True if in debug mode. False otherwise.

1 <p>Username: {{ app.user.username }}</p>
2 {% if app.debug %}
3
<p>Request method: {{ app.request.method }}</p>
4
<p>Application Environment: {{ app.environment }}</p>
5 {% endif %}

You can add your own global template variables. See the cookbook example on Global Variables.

Configuring and Using the templating Service
The heart of the template system in Symfony is the templating Engine. This special object is responsible
for rendering templates and returning their content. When you render a template in a controller, for
example, you're actually using the templating engine service. For example:
Listing 7-31

1 return $this->render('AcmeArticleBundle:Article:index.html.twig');

12. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Templating/GlobalVariables.html

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 85

is equivalent to:
Listing 7-32

1
2
3
4
5
6

use Symfony\Component\HttpFoundation\Response;
$engine = $this->container->get('templating');
$content = $engine->render('AcmeArticleBundle:Article:index.html.twig');
return $response = new Response($content);

The templating engine (or "service") is preconfigured to work automatically inside Symfony. It can, of
course, be configured further in the application configuration file:
Listing 7-33

1 # app/config/config.yml
2 framework:
3
# ...
4
templating: { engines: ['twig'] }

Several configuration options are available and are covered in the Configuration Appendix.
The twig engine is mandatory to use the webprofiler (as well as many third-party bundles).

Overriding Bundle Templates
The Symfony community prides itself on creating and maintaining high quality bundles (see
KnpBundles.com13) for a large number of different features. Once you use a third-party bundle, you'll
likely need to override and customize one or more of its templates.
Suppose you've included the imaginary open-source AcmeBlogBundle in your project (e.g. in the src/
Acme/BlogBundle directory). And while you're really happy with everything, you want to override the
blog "list" page to customize the markup specifically for your application. By digging into the Blog
controller of the AcmeBlogBundle, you find the following:
Listing 7-34

1 public function indexAction()
2 {
3
// some logic to retrieve the blogs
4
$blogs = ...;
5
6
$this->render(
7
'AcmeBlogBundle:Blog:index.html.twig',
8
array('blogs' => $blogs)
9
);
10 }

When the AcmeBlogBundle:Blog:index.html.twig is rendered, Symfony actually looks in two different
locations for the template:
1. app/Resources/AcmeBlogBundle/views/Blog/index.html.twig
2. src/Acme/BlogBundle/Resources/views/Blog/index.html.twig
To override the bundle template, just copy the index.html.twig template from the bundle to app/
Resources/AcmeBlogBundle/views/Blog/index.html.twig (the app/Resources/AcmeBlogBundle
directory won't exist, so you'll need to create it). You're now free to customize the template.
13. http://knpbundles.com

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 86

If you add a template in a new location, you may need to clear your cache (php app/console
cache:clear), even if you are in debug mode.

This logic also applies to base bundle templates. Suppose also that each template in AcmeBlogBundle
inherits from a base template called AcmeBlogBundle::layout.html.twig. Just as before, Symfony will
look in the following two places for the template:
1. app/Resources/AcmeBlogBundle/views/layout.html.twig
2. src/Acme/BlogBundle/Resources/views/layout.html.twig
Once again, to override the template, just copy it from the bundle to app/Resources/AcmeBlogBundle/
views/layout.html.twig. You're now free to customize this copy as you see fit.
If you take a step back, you'll see that Symfony always starts by looking in the app/Resources/
{BUNDLE_NAME}/views/ directory for a template. If the template doesn't exist there, it continues by
checking inside the Resources/views directory of the bundle itself. This means that all bundle templates
can be overridden by placing them in the correct app/Resources subdirectory.
You can also override templates from within a bundle by using bundle inheritance. For more
information, see How to Use Bundle Inheritance to Override Parts of a Bundle.

Overriding Core Templates
Since the Symfony framework itself is just a bundle, core templates can be overridden in the same way.
For example, the core TwigBundle contains a number of different "exception" and "error" templates that
can be overridden by copying each from the Resources/views/Exception directory of the TwigBundle
to, you guessed it, the app/Resources/TwigBundle/views/Exception directory.

Three-level Inheritance
One common way to use inheritance is to use a three-level approach. This method works perfectly with
the three different types of templates that were just covered:
• Create a app/Resources/views/base.html.twig file that contains the main layout for your
application (like in the previous example). Internally, this template is called
::base.html.twig;
• Create a template for each "section" of your site. For example, an AcmeBlogBundle, would
have a template called AcmeBlogBundle::layout.html.twig that contains only blog sectionspecific elements;
Listing 7-35

1
2
3
4
5
6
7
8

{# src/Acme/BlogBundle/Resources/views/layout.html.twig #}
{% extends '::base.html.twig' %}
{% block body %}
<h1>Blog Application</h1>
{% block content %}{% endblock %}
{% endblock %}

• Create individual templates for each page and make each extend the appropriate section
template. For example, the "index" page would be called something close to
AcmeBlogBundle:Blog:index.html.twig and list the actual blog posts.
PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 87

Listing 7-36

1
2
3
4
5
6
7
8
9

{# src/Acme/BlogBundle/Resources/views/Blog/index.html.twig #}
{% extends 'AcmeBlogBundle::layout.html.twig' %}
{% block content %}
{% for entry in blog_entries %}
<h2>{{ entry.title }}</h2>
<p>{{ entry.body }}</p>
{% endfor %}
{% endblock %}

Notice that this template extends the section template (AcmeBlogBundle::layout.html.twig) which
in-turn extends the base application layout (::base.html.twig). This is the common three-level
inheritance model.
When building your application, you may choose to follow this method or simply make each page
template extend the base application template directly (e.g. {% extends '::base.html.twig' %}). The
three-template model is a best-practice method used by vendor bundles so that the base template for a
bundle can be easily overridden to properly extend your application's base layout.

Output Escaping
When generating HTML from a template, there is always a risk that a template variable may output
unintended HTML or dangerous client-side code. The result is that dynamic content could break the
HTML of the resulting page or allow a malicious user to perform a Cross Site Scripting14 (XSS) attack.
Consider this classic example:
Listing 7-37

1 Hello {{ name }}

Imagine the user enters the following code for their name:
Listing 7-38

1 <script>alert('hello!')</script>

Without any output escaping, the resulting template will cause a JavaScript alert box to pop up:
Listing 7-39

1 Hello <script>alert('hello!')</script>

And while this seems harmless, if a user can get this far, that same user should also be able to write
JavaScript that performs malicious actions inside the secure area of an unknowing, legitimate user.
The answer to the problem is output escaping. With output escaping on, the same template will render
harmlessly, and literally print the script tag to the screen:
Listing 7-40

1 Hello &lt;script&gt;alert(&#39;helloe&#39;)&lt;/script&gt;

The Twig and PHP templating systems approach the problem in different ways. If you're using Twig,
output escaping is on by default and you're protected. In PHP, output escaping is not automatic, meaning
you'll need to manually escape where necessary.

14. http://en.wikipedia.org/wiki/Cross-site_scripting

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 88

Output Escaping in Twig
If you're using Twig templates, then output escaping is on by default. This means that you're protected
out-of-the-box from the unintentional consequences of user-submitted code. By default, the output
escaping assumes that content is being escaped for HTML output.
In some cases, you'll need to disable output escaping when you're rendering a variable that is trusted and
contains markup that should not be escaped. Suppose that administrative users are able to write articles
that contain HTML code. By default, Twig will escape the article body.
To render it normally, add the raw filter:
Listing 7-41

1 {{ article.body|raw }}

You can also disable output escaping inside a {% block %} area or for an entire template. For more
information, see Output Escaping15 in the Twig documentation.

Output Escaping in PHP
Output escaping is not automatic when using PHP templates. This means that unless you explicitly
choose to escape a variable, you're not protected. To use output escaping, use the special escape() view
method:
Listing 7-42

1 Hello <?php echo $view->escape($name) ?>

By default, the escape() method assumes that the variable is being rendered within an HTML context
(and thus the variable is escaped to be safe for HTML). The second argument lets you change the context.
For example, to output something in a JavaScript string, use the js context:
Listing 7-43

1 var myMsg = 'Hello <?php echo $view->escape($name, 'js') ?>';

Debugging
When using PHP, you can use var_dump() if you need to quickly find the value of a variable passed. This
is useful, for example, inside your controller. The same can be achieved when using Twig thanks to the
debug extension.
Template parameters can then be dumped using the dump function:
Listing 7-44

1
2
3
4
5
6
7
8

{# src/Acme/ArticleBundle/Resources/views/Article/recentList.html.twig #}
{{ dump(articles) }}
{% for article in articles %}
<a href="/article/{{ article.slug }}">
{{ article.title }}
</a>
{% endfor %}

The variables will only be dumped if Twig's debug setting (in config.yml) is true. By default this means
that the variables will be dumped in the dev environment but not the prod environment.

15. http://twig.sensiolabs.org/doc/api.html#escaper-extension

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 89

Syntax Checking
You can check for syntax errors in Twig templates using the twig:lint console command:
Listing 7-45

1
2
3
4
5
6
7
8

# You can check by filename:
$ php app/console twig:lint src/Acme/ArticleBundle/Resources/views/Article/
recentList.html.twig
# or by directory:
$ php app/console twig:lint src/Acme/ArticleBundle/Resources/views
# or using the bundle name:
$ php app/console twig:lint @AcmeArticleBundle

Template Formats
Templates are a generic way to render content in any format. And while in most cases you'll use templates
to render HTML content, a template can just as easily generate JavaScript, CSS, XML or any other format
you can dream of.
For example, the same "resource" is often rendered in several different formats. To render an article index
page in XML, simply include the format in the template name:
• XML template name: AcmeArticleBundle:Article:index.xml.twig
• XML template filename: index.xml.twig
In reality, this is nothing more than a naming convention and the template isn't actually rendered
differently based on its format.
In many cases, you may want to allow a single controller to render multiple different formats based on
the "request format". For that reason, a common pattern is to do the following:
Listing 7-46

1 public function indexAction(Request $request)
2 {
3
$format = $request->getRequestFormat();
4
5
return $this->render('AcmeBlogBundle:Blog:index.'.$format.'.twig');
6 }

The getRequestFormat on the Request object defaults to html, but can return any other format based
on the format requested by the user. The request format is most often managed by the routing, where a
route can be configured so that /contact sets the request format to html while /contact.xml sets the
format to xml. For more information, see the Advanced Example in the Routing chapter.
To create links that include the format parameter, include a _format key in the parameter hash:
Listing 7-47

1 <a href="{{ path('article_show', {'id': 123, '_format': 'pdf'}) }}">
2
PDF Version
3 </a>

Final Thoughts
The templating engine in Symfony is a powerful tool that can be used each time you need to generate
presentational content in HTML, XML or any other format. And though templates are a common way to
PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 90

generate content in a controller, their use is not mandatory. The Response object returned by a controller
can be created with or without the use of a template:
Listing 7-48

1
2
3
4
5

// creates a Response object whose content is the rendered template
$response = $this->render('AcmeArticleBundle:Article:index.html.twig');
// creates a Response object whose content is simple text
$response = new Response('response content');

Symfony's templating engine is very flexible and two different template renderers are available by default:
the traditional PHP templates and the sleek and powerful Twig templates. Both support a template
hierarchy and come packaged with a rich set of helper functions capable of performing the most common
tasks.
Overall, the topic of templating should be thought of as a powerful tool that's at your disposal. In some
cases, you may not need to render a template, and in Symfony, that's absolutely fine.

Learn more from the Cookbook
• How to Use PHP instead of Twig for Templates
• How to Customize Error Pages
• How to Write a custom Twig Extension

PDF brought to you by
generated on October 9, 2014

Chapter 7: Creating and Using Templates | 91

Chapter 8

Databases and Doctrine
One of the most common and challenging tasks for any application involves persisting and reading
information to and from a database. Fortunately, Symfony comes integrated with Doctrine1, a library
whose sole goal is to give you powerful tools to make this easy. In this chapter, you'll learn the basic
philosophy behind Doctrine and see how easy working with a database can be.
Doctrine is totally decoupled from Symfony and using it is optional. This chapter is all about
the Doctrine ORM, which aims to let you map objects to a relational database (such as MySQL,
PostgreSQL or Microsoft SQL). If you prefer to use raw database queries, this is easy, and explained
in the "How to Use Doctrine's DBAL Layer" cookbook entry.
You can also persist data to MongoDB2 using Doctrine ODM library. For more information, read
the "DoctrineMongoDBBundle" documentation.

A Simple Example: A Product
The easiest way to understand how Doctrine works is to see it in action. In this section, you'll configure
your database, create a Product object, persist it to the database and fetch it back out.

Code along with the Example
If you want to follow along with the example in this chapter, create an AcmeStoreBundle via:
Listing 8-1

1 $ php app/console generate:bundle --namespace=Acme/StoreBundle

1. http://www.doctrine-project.org/
2. http://www.mongodb.org/

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 92

Configuring the Database
Before you really begin, you'll need to configure your database connection information. By convention,
this information is usually configured in an app/config/parameters.yml file:
Listing 8-2

1 # app/config/parameters.yml
2 parameters:
3
database_driver:
pdo_mysql
4
database_host:
localhost
5
database_name:
test_project
6
database_user:
root
7
database_password: password
8
9 # ...

Defining the configuration via parameters.yml is just a convention. The parameters defined in
that file are referenced by the main configuration file when setting up Doctrine:
Listing 8-3

1 # app/config/config.yml
2 doctrine:
3
dbal:
4
driver:
"%database_driver%"
5
host:
"%database_host%"
6
dbname:
"%database_name%"
7
user:
"%database_user%"
8
password: "%database_password%"

By separating the database information into a separate file, you can easily keep different versions
of the file on each server. You can also easily store database configuration (or any sensitive
information) outside of your project, like inside your Apache configuration, for example. For more
information, see How to Set external Parameters in the Service Container.

Now that Doctrine knows about your database, you can have it create the database for you:
Listing 8-4

1 $ php app/console doctrine:database:create

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 93

Setting up the Database to be UTF8
One mistake even seasoned developers make when starting a Symfony project is forgetting to setup
default charset and collation on their database, ending up with latin type collations, which are
default for most databases. They might even remember to do it the very first time, but forget that
it's all gone after running a relatively common command during development:
Listing 8-5

1 $ php app/console doctrine:database:drop --force
2 $ php app/console doctrine:database:create

There's no way to configure these defaults inside Doctrine, as it tries to be as agnostic as possible
in terms of environment configuration. One way to solve this problem is to configure server-level
defaults.
Setting UTF8 defaults for MySQL is as simple as adding a few lines to your configuration file
(typically my.cnf):
Listing 8-6

1 [mysqld]
2 collation-server = utf8_general_ci
3 character-set-server = utf8

If you want to use SQLite as your database, you need to set the path where your database file
should be stored:
Listing 8-7

1 # app/config/config.yml
2 doctrine:
3
dbal:
4
driver: pdo_sqlite
5
path: "%kernel.root_dir%/sqlite.db"
6
charset: UTF8

Creating an Entity Class
Suppose you're building an application where products need to be displayed. Without even thinking
about Doctrine or databases, you already know that you need a Product object to represent those
products. Create this class inside the Entity directory of your AcmeStoreBundle:
Listing 8-8

1
2
3
4
5
6
7
8
9
10
11

// src/Acme/StoreBundle/Entity/Product.php
namespace Acme\StoreBundle\Entity;
class Product
{
protected $name;
protected $price;
protected $description;
}

The class - often called an "entity", meaning a basic class that holds data - is simple and helps fulfill the
business requirement of needing products in your application. This class can't be persisted to a database
yet - it's just a simple PHP class.

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 94

Once you learn the concepts behind Doctrine, you can have Doctrine create simple entity classes
for you. This will ask you interactive questions to help you build any entity:
Listing 8-9

1 $ php app/console doctrine:generate:entity

Add Mapping Information
Doctrine allows you to work with databases in a much more interesting way than just fetching rows of
a column-based table into an array. Instead, Doctrine allows you to persist entire objects to the database
and fetch entire objects out of the database. This works by mapping a PHP class to a database table, and
the properties of that PHP class to columns on the table:

For Doctrine to be able to do this, you just have to create "metadata", or configuration that tells Doctrine
exactly how the Product class and its properties should be mapped to the database. This metadata can
be specified in a number of different formats including YAML, XML or directly inside the Product class
via annotations:
Listing 8-10

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

// src/Acme/StoreBundle/Entity/Product.php
namespace Acme\StoreBundle\Entity;
use Doctrine\ORM\Mapping as ORM;

/**
* @ORM\Entity
* @ORM\Table(name="product")
*/
class Product
{
/**
* @ORM\Column(type="integer")
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
*/
protected $id;
/**
* @ORM\Column(type="string", length=100)
*/
protected $name;
/**
* @ORM\Column(type="decimal", scale=2)
*/

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 95

27
28
29
30
31
32
33 }

protected $price;

/**
* @ORM\Column(type="text")
*/
protected $description;

A bundle can accept only one metadata definition format. For example, it's not possible to mix
YAML metadata definitions with annotated PHP entity class definitions.

The table name is optional and if omitted, will be determined automatically based on the name of
the entity class.

Doctrine allows you to choose from a wide variety of different field types, each with their own options.
For information on the available field types, see the Doctrine Field Types Reference section.
You can also check out Doctrine's Basic Mapping Documentation3 for all details about mapping information.
If you use annotations, you'll need to prepend all annotations with ORM\ (e.g. ORM\Column(..)), which is not
shown in Doctrine's documentation. You'll also need to include the use Doctrine\ORM\Mapping as ORM;
statement, which imports the ORM annotations prefix.

Be careful that your class name and properties aren't mapped to a protected SQL keyword (such
as group or user). For example, if your entity class name is Group, then, by default, your table
name will be group, which will cause an SQL error in some engines. See Doctrine's Reserved
SQL keywords documentation4 on how to properly escape these names. Alternatively, if you're
free to choose your database schema, simply map to a different table name or column name. See
Doctrine's Persistent classes5 and Property Mapping6 documentation.

When using another library or program (ie. Doxygen) that uses annotations, you should place the
@IgnoreAnnotation annotation on the class to indicate which annotations Symfony should ignore.
For example, to prevent the @fn annotation from throwing an exception, add the following:
Listing 8-11

3.
4.
5.
6.

1 /**
2 * @IgnoreAnnotation("fn")
3 */
4 class Product
5 // ...

http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/basic-mapping.html
http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/basic-mapping.html#quoting-reserved-words
http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/basic-mapping.html#persistent-classes
http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/basic-mapping.html#property-mapping

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 96

Generating Getters and Setters
Even though Doctrine now knows how to persist a Product object to the database, the class itself isn't
really useful yet. Since Product is just a regular PHP class, you need to create getter and setter methods
(e.g. getName(), setName()) in order to access its properties (since the properties are protected).
Fortunately, Doctrine can do this for you by running:
Listing 8-12

1 $ php app/console doctrine:generate:entities Acme/StoreBundle/Entity/Product

This command makes sure that all of the getters and setters are generated for the Product class. This is
a safe command - you can run it over and over again: it only generates getters and setters that don't exist
(i.e. it doesn't replace your existing methods).
Keep in mind that Doctrine's entity generator produces simple getters/setters. You should check
generated entities and adjust getter/setter logic to your own needs.

More about doctrine:generate:entities
With the doctrine:generate:entities command you can:
• generate getters and setters;
• generate
repository
classes
configured
@ORM\Entity(repositoryClass="...") annotation;
• generate the appropriate constructor for 1:n and n:m relations.

with

the

The doctrine:generate:entities command saves a backup of the original Product.php named
Product.php~. In some cases, the presence of this file can cause a "Cannot redeclare class" error.
It can be safely removed. You can also use the --no-backup option to prevent generating these
backup files.
Note that you don't need to use this command. Doctrine doesn't rely on code generation. Like with
normal PHP classes, you just need to make sure that your protected/private properties have getter
and setter methods. Since this is a common thing to do when using Doctrine, this command was
created.

You can also generate all known entities (i.e. any PHP class with Doctrine mapping information) of a
bundle or an entire namespace:
Listing 8-13

1 $ php app/console doctrine:generate:entities AcmeStoreBundle
2 $ php app/console doctrine:generate:entities Acme

Doctrine doesn't care whether your properties are protected or private, or whether or not you
have a getter or setter function for a property. The getters and setters are generated here only
because you'll need them to interact with your PHP object.

Creating the Database Tables/Schema
You now have a usable Product class with mapping information so that Doctrine knows exactly how to
persist it. Of course, you don't yet have the corresponding product table in your database. Fortunately,
Doctrine can automatically create all the database tables needed for every known entity in your
application. To do this, run:

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 97

Listing 8-14

1 $ php app/console doctrine:schema:update --force

Actually, this command is incredibly powerful. It compares what your database should look like
(based on the mapping information of your entities) with how it actually looks, and generates the
SQL statements needed to update the database to where it should be. In other words, if you add a
new property with mapping metadata to Product and run this task again, it will generate the "alter
table" statement needed to add that new column to the existing product table.
An even better way to take advantage of this functionality is via migrations, which allow you to
generate these SQL statements and store them in migration classes that can be run systematically
on your production server in order to track and migrate your database schema safely and reliably.

Your database now has a fully-functional product table with columns that match the metadata you've
specified.

Persisting Objects to the Database
Now that you have a mapped Product entity and corresponding product table, you're ready to persist
data to the database. From inside a controller, this is pretty easy. Add the following method to the
DefaultController of the bundle:
Listing 8-15

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

// src/Acme/StoreBundle/Controller/DefaultController.php
// ...
use Acme\StoreBundle\Entity\Product;
use Symfony\Component\HttpFoundation\Response;
public function createAction()
{
$product = new Product();
$product->setName('A Foo Bar');
$product->setPrice('19.99');
$product->setDescription('Lorem ipsum dolor');
$em = $this->getDoctrine()->getManager();
$em->persist($product);
$em->flush();
return new Response('Created product id '.$product->getId());
}

If you're following along with this example, you'll need to create a route that points to this action
to see it work.

This article shows working with Doctrine from within a controller by using the getDoctrine()7
method of the controller. This method is a shortcut to get the doctrine service. You can work with
Doctrine anywhere else by injecting that service in the service. See Service Container for more on
creating your own services.

7. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Controller/Controller.html#getDoctrine()

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 98

Take a look at the previous example in more detail:
• lines 9-12 In this section, you instantiate and work with the $product object like any other,
normal PHP object.
• line 14 This line fetches Doctrine's entity manager object, which is responsible for handling
the process of persisting and fetching objects to and from the database.
• line 15 The persist() method tells Doctrine to "manage" the $product object. This does not
actually cause a query to be made to the database (yet).
• line 16 When the flush() method is called, Doctrine looks through all of the objects that it's
managing to see if they need to be persisted to the database. In this example, the $product
object has not been persisted yet, so the entity manager executes an INSERT query and a row is
created in the product table.
In fact, since Doctrine is aware of all your managed entities, when you call the flush() method,
it calculates an overall changeset and executes the most efficient query/queries possible. For
example, if you persist a total of 100 Product objects and then subsequently call flush(), Doctrine
will create a single prepared statement and re-use it for each insert. This pattern is called Unit of
Work, and it's used because it's fast and efficient.

When creating or updating objects, the workflow is always the same. In the next section, you'll see
how Doctrine is smart enough to automatically issue an UPDATE query if the record already exists in the
database.
Doctrine provides a library that allows you to programmatically load testing data into your project
(i.e. "fixture data"). For information, see DoctrineFixturesBundle.

Fetching Objects from the Database
Fetching an object back out of the database is even easier. For example, suppose you've configured a
route to display a specific Product based on its id value:
Listing 8-16

1 public function showAction($id)
2 {
3
$product = $this->getDoctrine()
4
->getRepository('AcmeStoreBundle:Product')
5
->find($id);
6
7
if (!$product) {
8
throw $this->createNotFoundException(
9
'No product found for id '.$id
10
);
11
}
12
13
// ... do something, like pass the $product object into a template
14 }

You can achieve the equivalent of this without writing any code by using the @ParamConverter
shortcut. See the FrameworkExtraBundle documentation for more details.

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 99

When you query for a particular type of object, you always use what's known as its "repository". You can
think of a repository as a PHP class whose only job is to help you fetch entities of a certain class. You can
access the repository object for an entity class via:
Listing 8-17

1 $repository = $this->getDoctrine()
2
->getRepository('AcmeStoreBundle:Product');

The AcmeStoreBundle:Product string is a shortcut you can use anywhere in Doctrine instead of
the full class name of the entity (i.e. Acme\StoreBundle\Entity\Product). As long as your entity
lives under the Entity namespace of your bundle, this will work.

Once you have your repository, you have access to all sorts of helpful methods:
Listing 8-18

1
2
3
4
5
6
7
8
9
10
11
12

// query by the primary key (usually "id")
$product = $repository->find($id);
// dynamic method names to find based on a column value
$product = $repository->findOneById($id);
$product = $repository->findOneByName('foo');
// find *all* products
$products = $repository->findAll();
// find a group of products based on an arbitrary column value
$products = $repository->findByPrice(19.99);

Of course, you can also issue complex queries, which you'll learn more about in the Querying for
Objects section.

You can also take advantage of the useful findBy and findOneBy methods to easily fetch objects based
on multiple conditions:
Listing 8-19

1
2
3
4
5
6
7
8
9
10

// query for one product matching by name and price
$product = $repository->findOneBy(
array('name' => 'foo', 'price' => 19.99)
);
// query for all products matching the name, ordered by price
$products = $repository->findBy(
array('name' => 'foo'),
array('price' => 'ASC')
);

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 100

When you render any page, you can see how many queries were made in the bottom right corner
of the web debug toolbar.

If you click the icon, the profiler will open, showing you the exact queries that were made.

Updating an Object
Once you've fetched an object from Doctrine, updating it is easy. Suppose you have a route that maps a
product id to an update action in a controller:
Listing 8-20

1 public function updateAction($id)
2 {
3
$em = $this->getDoctrine()->getManager();
4
$product = $em->getRepository('AcmeStoreBundle:Product')->find($id);
5
6
if (!$product) {
7
throw $this->createNotFoundException(
8
'No product found for id '.$id
9
);
10
}
11
12
$product->setName('New product name!');
13
$em->flush();
14
15
return $this->redirect($this->generateUrl('homepage'));
16 }

Updating an object involves just three steps:
1. fetching the object from Doctrine;
2. modifying the object;
3. calling flush() on the entity manager
Notice that calling $em->persist($product) isn't necessary. Recall that this method simply tells
Doctrine to manage or "watch" the $product object. In this case, since you fetched the $product object
from Doctrine, it's already managed.

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 101

Deleting an Object
Deleting an object is very similar, but requires a call to the remove() method of the entity manager:
Listing 8-21

1 $em->remove($product);
2 $em->flush();

As you might expect, the remove() method notifies Doctrine that you'd like to remove the given object
from the database. The actual DELETE query, however, isn't actually executed until the flush() method
is called.

Querying for Objects
You've already seen how the repository object allows you to run basic queries without any work:
Listing 8-22

1 $repository->find($id);
2
3 $repository->findOneByName('Foo');

Of course, Doctrine also allows you to write more complex queries using the Doctrine Query Language
(DQL). DQL is similar to SQL except that you should imagine that you're querying for one or more
objects of an entity class (e.g. Product) instead of querying for rows on a table (e.g. product).
When querying in Doctrine, you have two options: writing pure Doctrine queries or using Doctrine's
Query Builder.

Querying for Objects Using Doctrine's Query Builder
Imagine that you want to query for products, but only return products that cost more than 19.99,
ordered from cheapest to most expensive. You can use Doctrine's QueryBuilder for this:
Listing 8-23

1 $repository = $this->getDoctrine()
2
->getRepository('AcmeStoreBundle:Product');
3
4 $query = $repository->createQueryBuilder('p')
5
->where('p.price > :price')
6
->setParameter('price', '19.99')
7
->orderBy('p.price', 'ASC')
8
->getQuery();
9
10 $products = $query->getResult();

The QueryBuilder object contains every method necessary to build your query. By calling the
getQuery() method, the query builder returns a normal Query object, which can be used to get the result
of the query.
Take note of the setParameter() method. When working with Doctrine, it's always a good idea
to set any external values as "placeholders" (:price in the example above) as it prevents SQL
injection attacks.

The getResult() method returns an array of results. To get only one result, you can use
getSingleResult() (which throws exception there is no result) or getOneOrNullResult():
Listing 8-24

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 102

1 $product = $query->getOneOrNullResult();

For more information on Doctrine's Query Builder, consult Doctrine's Query Builder8 documentation.

Querying for Objects with DQL
Instead of using the QueryBuilder, you can alternatively write the queries directly using DQL:
Listing 8-25

1
2
3
4
5
6
7
8
9

$em = $this->getDoctrine()->getManager();
$query = $em->createQuery(
'SELECT p
FROM AcmeStoreBundle:Product p
WHERE p.price > :price
ORDER BY p.price ASC'
)->setParameter('price', '19.99');
$products = $query->getResult();

If you're comfortable with SQL, then DQL should feel very natural. The biggest difference is that you
need to think in terms of "objects" instead of rows in a database. For this reason, you select from the
AcmeStoreBundle:Product object and then alias it as p (as you see, this is equal to what you already did
in the previous section).
The DQL syntax is incredibly powerful, allowing you to easily join between entities (the topic of
relations will be covered later), group, etc. For more information, see the official Doctrine Doctrine Query
Language9 documentation.

Custom Repository Classes
In the previous sections, you began constructing and using more complex queries from inside a
controller. In order to isolate, test and reuse these queries, it's a good practice to create a custom
repository class for your entity and add methods with your query logic there.
To do this, add the name of the repository class to your mapping definition:
Listing 8-26

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/StoreBundle/Entity/Product.php
namespace Acme\StoreBundle\Entity;
use Doctrine\ORM\Mapping as ORM;

/**
* @ORM\Entity(repositoryClass="Acme\StoreBundle\Entity\ProductRepository")
*/
class Product
{
//...
}

Doctrine can generate the repository class for you by running the same command used earlier to generate
the missing getter and setter methods:
Listing 8-27

1 $ php app/console doctrine:generate:entities Acme

8. http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/query-builder.html
9. http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/dql-doctrine-query-language.html

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 103

Next, add a new method - findAllOrderedByName() - to the newly generated repository class. This
method will query for all of the Product entities, ordered alphabetically.
Listing 8-28

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// src/Acme/StoreBundle/Entity/ProductRepository.php
namespace Acme\StoreBundle\Entity;
use Doctrine\ORM\EntityRepository;
class ProductRepository extends EntityRepository
{
public function findAllOrderedByName()
{
return $this->getEntityManager()
->createQuery(
'SELECT p FROM AcmeStoreBundle:Product p ORDER BY p.name ASC'
)
->getResult();
}
}

The entity manager can be accessed via $this->getEntityManager() from inside the repository.

You can use this new method just like the default finder methods of the repository:
Listing 8-29

1 $em = $this->getDoctrine()->getManager();
2 $products = $em->getRepository('AcmeStoreBundle:Product')
3
->findAllOrderedByName();

When using a custom repository class, you still have access to the default finder methods such as
find() and findAll().

Entity Relationships/Associations
Suppose that the products in your application all belong to exactly one "category". In this case, you'll
need a Category object and a way to relate a Product object to a Category object. Start by creating the
Category entity. Since you know that you'll eventually need to persist the class through Doctrine, you
can let Doctrine create the class for you.
Listing 8-30

1 $ php app/console doctrine:generate:entity --entity="AcmeStoreBundle:Category"
--fields="name:string(255)"

This task generates the Category entity for you, with an id field, a name field and the associated getter
and setter functions.

Relationship Mapping Metadata
To relate the Category and Product entities, start by creating a products property on the Category class:
Listing 8-31

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 104

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

// src/Acme/StoreBundle/Entity/Category.php
// ...
use Doctrine\Common\Collections\ArrayCollection;
class Category
{
// ...

/**
* @ORM\OneToMany(targetEntity="Product", mappedBy="category")
*/
protected $products;
public function __construct()
{
$this->products = new ArrayCollection();
}
}

First, since a Category object will relate to many Product objects, a products array property is added
to hold those Product objects. Again, this isn't done because Doctrine needs it, but instead because it
makes sense in the application for each Category to hold an array of Product objects.
The code in the __construct() method is important because Doctrine requires the $products
property to be an ArrayCollection object. This object looks and acts almost exactly like an array,
but has some added flexibility. If this makes you uncomfortable, don't worry. Just imagine that it's
an array and you'll be in good shape.

The targetEntity value in the decorator used above can reference any entity with a valid namespace,
not just entities defined in the same namespace. To relate to an entity defined in a different class or
bundle, enter a full namespace as the targetEntity.

Next, since each Product class can relate to exactly one Category object, you'll want to add a $category
property to the Product class:
Listing 8-32

1
2
3
4
5
6
7
8
9
10
11
12
13

// src/Acme/StoreBundle/Entity/Product.php
// ...
class Product
{
// ...
/**
* @ORM\ManyToOne(targetEntity="Category", inversedBy="products")
* @ORM\JoinColumn(name="category_id", referencedColumnName="id")
*/
protected $category;
}

Finally, now that you've added a new property to both the Category and Product classes, tell Doctrine
to generate the missing getter and setter methods for you:
Listing 8-33

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 105

1 $ php app/console doctrine:generate:entities Acme

Ignore the Doctrine metadata for a moment. You now have two classes - Category and Product with a
natural one-to-many relationship. The Category class holds an array of Product objects and the Product
object can hold one Category object. In other words - you've built your classes in a way that makes sense
for your needs. The fact that the data needs to be persisted to a database is always secondary.
Now, look at the metadata above the $category property on the Product class. The information here
tells Doctrine that the related class is Category and that it should store the id of the category record
on a category_id field that lives on the product table. In other words, the related Category object will
be stored on the $category property, but behind the scenes, Doctrine will persist this relationship by
storing the category's id value on a category_id column of the product table.

The metadata above the $products property of the Category object is less important, and simply tells
Doctrine to look at the Product.category property to figure out how the relationship is mapped.
Before you continue, be sure to tell Doctrine to add the new category table, and product.category_id
column, and new foreign key:
Listing 8-34

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 106

1 $ php app/console doctrine:schema:update --force

This task should only be really used during development. For a more robust method of
systematically updating your production database, read about Doctrine migrations.

Saving Related Entities
Now you can see this new code in action! Imagine you're inside a controller:
Listing 8-35

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

// ...
use Acme\StoreBundle\Entity\Category;
use Acme\StoreBundle\Entity\Product;
use Symfony\Component\HttpFoundation\Response;
class DefaultController extends Controller
{
public function createProductAction()
{
$category = new Category();
$category->setName('Main Products');
$product = new Product();
$product->setName('Foo');
$product->setPrice(19.99);
// relate this product to the category
$product->setCategory($category);
$em = $this->getDoctrine()->getManager();
$em->persist($category);
$em->persist($product);
$em->flush();
return new Response(
'Created product id: '.$product->getId()
.' and category id: '.$category->getId()
);
}
}

Now, a single row is added to both the category and product tables. The product.category_id column
for the new product is set to whatever the id is of the new category. Doctrine manages the persistence of
this relationship for you.

Fetching Related Objects
When you need to fetch associated objects, your workflow looks just like it did before. First, fetch a
$product object and then access its related Category:
Listing 8-36

1 public function showAction($id)
2 {
3
$product = $this->getDoctrine()
4
->getRepository('AcmeStoreBundle:Product')

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 107

5
6
7
8
9
10 }

->find($id);
$categoryName = $product->getCategory()->getName();

// ...

In this example, you first query for a Product object based on the product's id. This issues a query for
just the product data and hydrates the $product object with that data. Later, when you call $product>getCategory()->getName(), Doctrine silently makes a second query to find the Category that's related
to this Product. It prepares the $category object and returns it to you.

What's important is the fact that you have easy access to the product's related category, but the category
data isn't actually retrieved until you ask for the category (i.e. it's "lazily loaded").
You can also query in the other direction:
Listing 8-37

1 public function showProductAction($id)
2 {
3
$category = $this->getDoctrine()
4
->getRepository('AcmeStoreBundle:Category')
5
->find($id);
6
7
$products = $category->getProducts();
8
9
// ...
10 }

In this case, the same things occurs: you first query out for a single Category object, and then Doctrine
makes a second query to retrieve the related Product objects, but only once/if you ask for them (i.e. when
you call ->getProducts()). The $products variable is an array of all Product objects that relate to the
given Category object via their category_id value.

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 108

Relationships and Proxy Classes
This "lazy loading" is possible because, when necessary, Doctrine returns a "proxy" object in place
of the true object. Look again at the above example:
Listing 8-38

1
2
3
4
5
6
7
8

$product = $this->getDoctrine()
->getRepository('AcmeStoreBundle:Product')
->find($id);
$category = $product->getCategory();

// prints "Proxies\AcmeStoreBundleEntityCategoryProxy"
echo get_class($category);

This proxy object extends the true Category object, and looks and acts exactly like it. The
difference is that, by using a proxy object, Doctrine can delay querying for the real Category data
until you actually need that data (e.g. until you call $category->getName()).
The proxy classes are generated by Doctrine and stored in the cache directory. And though you'll
probably never even notice that your $category object is actually a proxy object, it's important to
keep it in mind.
In the next section, when you retrieve the product and category data all at once (via a join),
Doctrine will return the true Category object, since nothing needs to be lazily loaded.

Joining Related Records
In the above examples, two queries were made - one for the original object (e.g. a Category) and one for
the related object(s) (e.g. the Product objects).
Remember that you can see all of the queries made during a request via the web debug toolbar.

Of course, if you know up front that you'll need to access both objects, you can avoid the second query
by issuing a join in the original query. Add the following method to the ProductRepository class:
Listing 8-39

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// src/Acme/StoreBundle/Entity/ProductRepository.php
public function findOneByIdJoinedToCategory($id)
{
$query = $this->getEntityManager()
->createQuery(
'SELECT p, c FROM AcmeStoreBundle:Product p
JOIN p.category c
WHERE p.id = :id'
)->setParameter('id', $id);
try {
return $query->getSingleResult();
} catch (\Doctrine\ORM\NoResultException $e) {
return null;
}
}

Now, you can use this method in your controller to query for a Product object and its related Category
with just one query:
PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 109

Listing 8-40

1 public function showAction($id)
2 {
3
$product = $this->getDoctrine()
4
->getRepository('AcmeStoreBundle:Product')
5
->findOneByIdJoinedToCategory($id);
6
7
$category = $product->getCategory();
8
9
// ...
10 }

More Information on Associations
This section has been an introduction to one common type of entity relationship, the one-to-many
relationship. For more advanced details and examples of how to use other types of relations (e.g. one-toone, many-to-many), see Doctrine's Association Mapping Documentation10.
If you're using annotations, you'll need to prepend all annotations with ORM\ (e.g. ORM\OneToMany),
which is not reflected in Doctrine's documentation. You'll also need to include the use
Doctrine\ORM\Mapping as ORM; statement, which imports the ORM annotations prefix.

Configuration
Doctrine is highly configurable, though you probably won't ever need to worry about most of its options.
To find out more about configuring Doctrine, see the Doctrine section of the config reference.

Lifecycle Callbacks
Sometimes, you need to perform an action right before or after an entity is inserted, updated, or deleted.
These types of actions are known as "lifecycle" callbacks, as they're callback methods that you need to
execute during different stages of the lifecycle of an entity (e.g. the entity is inserted, updated, deleted,
etc).
If you're using annotations for your metadata, start by enabling the lifecycle callbacks. This is not
necessary if you're using YAML or XML for your mapping.
Listing 8-41

1
2
3
4
5
6
7
8

/**
* @ORM\Entity()
* @ORM\HasLifecycleCallbacks()
*/
class Product
{
// ...
}

Now, you can tell Doctrine to execute a method on any of the available lifecycle events. For example,
suppose you want to set a createdAt date column to the current date, only when the entity is first
persisted (i.e. inserted):

10. http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/association-mapping.html

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 110

Listing 8-42

1
2
3
4
5
6
7
8
9

// src/Acme/StoreBundle/Entity/Product.php
/**
* @ORM\PrePersist
*/
public function setCreatedAtValue()
{
$this->createdAt = new \DateTime();
}

The above example assumes that you've created and mapped a createdAt property (not shown
here).

Now, right before the entity is first persisted, Doctrine will automatically call this method and the
createdAt field will be set to the current date.
There are several other lifecycle events that you can hook into. For more information on other lifecycle
events and lifecycle callbacks in general, see Doctrine's Lifecycle Events documentation11.

Lifecycle Callbacks and Event Listeners
Notice that the setCreatedAtValue() method receives no arguments. This is always the case
for lifecycle callbacks and is intentional: lifecycle callbacks should be simple methods that are
concerned with internally transforming data in the entity (e.g. setting a created/updated field,
generating a slug value).
If you need to do some heavier lifting - like perform logging or send an email - you should register
an external class as an event listener or subscriber and give it access to whatever resources you
need. For more information, see How to Register Event Listeners and Subscribers.

Doctrine Field Types Reference
Doctrine comes with a large number of field types available. Each of these maps a PHP data type to a
specific column type in whatever database you're using. For each field type, the Column can be configured
further, setting the length, nullable behavior, name and other options. To see a list of all available types
and more information, see Doctrine's Mapping Types documentation12.

Summary
With Doctrine, you can focus on your objects and how they're useful in your application and worry about
database persistence second. This is because Doctrine allows you to use any PHP object to hold your data
and relies on mapping metadata information to map an object's data to a particular database table.
And even though Doctrine revolves around a simple concept, it's incredibly powerful, allowing you to
create complex queries and subscribe to events that allow you to take different actions as objects go
through their persistence lifecycle.

11. http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/events.html#lifecycle-events
12. http://docs.doctrine-project.org/projects/doctrine-orm/en/latest/reference/basic-mapping.html#property-mapping

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 111

Learn more
For more information about Doctrine, see the Doctrine section of the cookbook. Some useful articles
might be:





How to use Doctrine Extensions: Timestampable, Sluggable, Translatable, etc.
Console Commands
DoctrineFixturesBundle
DoctrineMongoDBBundle

PDF brought to you by
generated on October 9, 2014

Chapter 8: Databases and Doctrine | 112

Chapter 9

Databases and Propel
One of the most common and challenging tasks for any application involves persisting and reading
information to and from a database. Symfony does not come integrated with any ORMs but the Propel
integration is easy. To install Propel, read Working With Symfony21 on the Propel documentation.

A Simple Example: A Product
In this section, you'll configure your database, create a Product object, persist it to the database and fetch
it back out.

Code along with the Example
If you want to follow along with the example in this chapter, create an AcmeStoreBundle via:
Listing 9-1

1 $ php app/console generate:bundle --namespace=Acme/StoreBundle

Configuring the Database
Before you can start, you'll need to configure your database connection information. By convention, this
information is usually configured in an app/config/parameters.yml file:
Listing 9-2

1 # app/config/parameters.yml
2 parameters:
3
database_driver:
mysql
4
database_host:
localhost
5
database_name:
test_project
6
database_user:
root
7
database_password: password
8
database_charset: UTF8

1. http://propelorm.org/Propel/cookbook/symfony2/working-with-symfony2.html#installation

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 113

Defining the configuration via parameters.yml is just a convention. The parameters defined in
that file are referenced by the main configuration file when setting up Propel:

These parameters defined in parameters.yml can now be included in the configuration file
(config.yml):
Listing 9-3

1 propel:
2
dbal:
3
driver:
"%database_driver%"
4
user:
"%database_user%"
5
password: "%database_password%"
6
dsn:
"%database_driver%:host=%database_host%;dbname=%database_name%;charset=%database_charset%"

Now that Propel knows about your database, Symfony can create the database for you:
Listing 9-4

1 $ php app/console propel:database:create

In this example, you have one configured connection, named default. If you want to configure
more than one connection, read the PropelBundle configuration section.

Creating a Model Class
In the Propel world, ActiveRecord classes are known as models because classes generated by Propel
contain some business logic.
For people who use Symfony with Doctrine2, models are equivalent to entities.

Suppose you're building an application where products need to be displayed. First, create a schema.xml
file inside the Resources/config directory of your AcmeStoreBundle:
Listing 9-5

1 <?xml version="1.0" encoding="UTF-8" ?>
2 <database
3
name="default"
4
namespace="Acme\StoreBundle\Model"
5
defaultIdMethod="native">
6
7
<table name="product">
8
<column
9
name="id"
10
type="integer"
11
required="true"
12
primaryKey="true"
13
autoIncrement="true" />
14
15
<column
16
name="name"
17
type="varchar"

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 114

18
primaryString="true"
19
size="100" />
20
<column
21
name="price"
22
type="decimal" />
23
24
<column
25
name="description"
26
type="longvarchar" />
27
</table>
28 </database>

Building the Model
After creating your schema.xml, generate your model from it by running:
Listing 9-6

1 $ php app/console propel:model:build

This generates each model class to quickly develop your application in the Model/ directory of the
AcmeStoreBundle bundle.

Creating the Database Tables/Schema
Now you have a usable Product class and all you need to persist it. Of course, you don't yet have
the corresponding product table in your database. Fortunately, Propel can automatically create all the
database tables needed for every known model in your application. To do this, run:
Listing 9-7

1 $ php app/console propel:sql:build
2 $ php app/console propel:sql:insert --force

Your database now has a fully-functional product table with columns that match the schema you've
specified.
You can run the last three commands combined by using the following command: php app/
console propel:build --insert-sql.

Persisting Objects to the Database
Now that you have a Product object and corresponding product table, you're ready to persist data
to the database. From inside a controller, this is pretty easy. Add the following method to the
DefaultController of the bundle:
Listing 9-8

1
2
3
4
5
6
7
8
9

// src/Acme/StoreBundle/Controller/DefaultController.php
// ...
use Acme\StoreBundle\Model\Product;
use Symfony\Component\HttpFoundation\Response;
public function createAction()
{
$product = new Product();

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 115

10
11
12
13
14
15
16
17 }

$product->setName('A Foo Bar');
$product->setPrice(19.99);
$product->setDescription('Lorem ipsum dolor');
$product->save();
return new Response('Created product id '.$product->getId());

In this piece of code, you instantiate and work with the $product object. When you call the save()
method on it, you persist it to the database. No need to use other services, the object knows how to
persist itself.
If you're following along with this example, you'll need to create a route that points to this action
to see it in action.

Fetching Objects from the Database
Fetching an object back from the database is even easier. For example, suppose you've configured a route
to display a specific Product based on its id value:
Listing 9-9

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// ...
use Acme\StoreBundle\Model\ProductQuery;
public function showAction($id)
{
$product = ProductQuery::create()
->findPk($id);
if (!$product) {
throw $this->createNotFoundException(
'No product found for id '.$id
);
}

// ... do something, like pass the $product object into a template
}

Updating an Object
Once you've fetched an object from Propel, updating it is easy. Suppose you have a route that maps a
product id to an update action in a controller:
Listing 9-10

1
2
3
4
5
6
7
8
9
10

// ...
use Acme\StoreBundle\Model\ProductQuery;
public function updateAction($id)
{
$product = ProductQuery::create()
->findPk($id);
if (!$product) {
throw $this->createNotFoundException(

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 116

11
12
13
14
15
16
17
18
19 }

'No product found for id '.$id
);
}
$product->setName('New product name!');
$product->save();
return $this->redirect($this->generateUrl('homepage'));

Updating an object involves just three steps:
1. fetching the object from Propel (line 6 - 13);
2. modifying the object (line 15);
3. saving it (line 16).

Deleting an Object
Deleting an object is very similar to updating, but requires a call to the delete() method on the object:
Listing 9-11

1 $product->delete();

Querying for Objects
Propel provides generated Query classes to run both basic and complex queries without any work:
Listing 9-12

1 \Acme\StoreBundle\Model\ProductQuery::create()->findPk($id);
2
3 \Acme\StoreBundle\Model\ProductQuery::create()
4
->filterByName('Foo')
5
->findOne();

Imagine that you want to query for products which cost more than 19.99, ordered from cheapest to most
expensive. From inside a controller, do the following:
Listing 9-13

1 $products = \Acme\StoreBundle\Model\ProductQuery::create()
2
->filterByPrice(array('min' => 19.99))
3
->orderByPrice()
4
->find();

In one line, you get your products in a powerful oriented object way. No need to waste your time
with SQL or whatever, Symfony offers fully object oriented programming and Propel respects the same
philosophy by providing an awesome abstraction layer.
If you want to reuse some queries, you can add your own methods to the ProductQuery class:
Listing 9-14

1 // src/Acme/StoreBundle/Model/ProductQuery.php
2 class ProductQuery extends BaseProductQuery
3 {
4
public function filterByExpensivePrice()
5
{
6
return $this
7
->filterByPrice(array('min' => 1000));

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 117

8
9 }

}

But note that Propel generates a lot of methods for you and a simple findAllOrderedByName() can be
written without any effort:
Listing 9-15

1 \Acme\StoreBundle\Model\ProductQuery::create()
2
->orderByName()
3
->find();

Relationships/Associations
Suppose that the products in your application all belong to exactly one "category". In this case, you'll
need a Category object and a way to relate a Product object to a Category object.
Start by adding the category definition in your schema.xml:
Listing 9-16

1 <?xml version="1.0" encoding="UTF-8" ?>
2 <database
3
name="default"
4
namespace="Acme\StoreBundle\Model"
5
defaultIdMethod="native">
6
7
<table name="product">
8
<column
9
name="id"
10
type="integer"
11
required="true"
12
primaryKey="true"
13
autoIncrement="true" />
14
15
<column
16
name="name"
17
type="varchar"
18
primaryString="true"
19
size="100" />
20
21
<column
22
name="price"
23
type="decimal" />
24
25
<column
26
name="description"
27
type="longvarchar" />
28
29
<column
30
name="category_id"
31
type="integer" />
32
33
<foreign-key foreignTable="category">
34
<reference local="category_id" foreign="id" />
35
</foreign-key>
36
</table>
37
38
<table name="category">

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 118

39
<column
40
name="id"
41
type="integer"
42
required="true"
43
primaryKey="true"
44
autoIncrement="true" />
45
46
<column
47
name="name"
48
type="varchar"
49
primaryString="true"
50
size="100" />
51
</table>
52 </database>

Create the classes:
Listing 9-17

1 $ php app/console propel:model:build

Assuming you have products in your database, you don't want to lose them. Thanks to migrations, Propel
will be able to update your database without losing existing data.
Listing 9-18

1 $ php app/console propel:migration:generate-diff
2 $ php app/console propel:migration:migrate

Your database has been updated, you can continue writing your application.

Saving Related Objects
Now, try the code in action. Imagine you're inside a controller:
Listing 9-19

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

// ...
use Acme\StoreBundle\Model\Category;
use Acme\StoreBundle\Model\Product;
use Symfony\Component\HttpFoundation\Response;
class DefaultController extends Controller
{
public function createProductAction()
{
$category = new Category();
$category->setName('Main Products');
$product = new Product();
$product->setName('Foo');
$product->setPrice(19.99);
// relate this product to the category
$product->setCategory($category);

// save the whole
$product->save();
return new Response(
'Created product id: '.$product->getId().' and category id:
'.$category->getId()
);

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 119

25
26 }

}

Now, a single row is added to both the category and product tables. The product.category_id column
for the new product is set to whatever the id is of the new category. Propel manages the persistence of
this relationship for you.

Fetching Related Objects
When you need to fetch associated objects, your workflow looks just like it did before. First, fetch a
$product object and then access its related Category:
Listing 9-20

1
2
3
4
5
6
7
8
9
10
11
12
13

// ...
use Acme\StoreBundle\Model\ProductQuery;
public function showAction($id)
{
$product = ProductQuery::create()
->joinWithCategory()
->findPk($id);
$categoryName = $product->getCategory()->getName();

// ...
}

Note, in the above example, only one query was made.

More Information on Associations
You will find more information on relations by reading the dedicated chapter on Relationships2.

Lifecycle Callbacks
Sometimes, you need to perform an action right before or after an object is inserted, updated, or deleted.
These types of actions are known as "lifecycle" callbacks or "hooks", as they're callback methods that you
need to execute during different stages of the lifecycle of an object (e.g. the object is inserted, updated,
deleted, etc).
To add a hook, just add a new method to the object class:
Listing 9-21

1
2
3
4
5
6
7
8
9
10

// src/Acme/StoreBundle/Model/Product.php
// ...
class Product extends BaseProduct
{
public function preInsert(\PropelPDO $con = null)
{
// do something before the object is inserted
}
}

Propel provides the following hooks:
2. http://propelorm.org/Propel/documentation/04-relationships.html

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 120










preInsert() code executed before insertion of a new object
postInsert() code executed after insertion of a new object
preUpdate() code executed before update of an existing object
postUpdate() code executed after update of an existing object
preSave() code executed before saving an object (new or existing)
postSave() code executed after saving an object (new or existing)
preDelete() code executed before deleting an object
postDelete() code executed after deleting an object

Behaviors
All bundled behaviors in Propel are working with Symfony. To get more information about how to use
Propel behaviors, look at the Behaviors reference section.

Commands
You should read the dedicated section for Propel commands in Symfony23.

3. http://propelorm.org/Propel/cookbook/symfony2/working-with-symfony2#the-commands

PDF brought to you by
generated on October 9, 2014

Chapter 9: Databases and Propel | 121

Chapter 10

Testing
Whenever you write a new line of code, you also potentially add new bugs. To build better and more
reliable applications, you should test your code using both functional and unit tests.

The PHPUnit Testing Framework
Symfony integrates with an independent library - called PHPUnit - to give you a rich testing framework.
This chapter won't cover PHPUnit itself, but it has its own excellent documentation1.
Symfony works with PHPUnit 3.5.11 or later, though version 3.6.4 is needed to test the Symfony
core code itself.

Each test - whether it's a unit test or a functional test - is a PHP class that should live in the Tests/
subdirectory of your bundles. If you follow this rule, then you can run all of your application's tests with
the following command:
Listing 10-1

1 # specify the configuration directory on the command line
2 $ phpunit -c app/

The -c option tells PHPUnit to look in the app/ directory for a configuration file. If you're curious about
the PHPUnit options, check out the app/phpunit.xml.dist file.
Code coverage can be generated with the --coverage-html option.

1. http://phpunit.de/manual/current/en/

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 122

Unit Tests
A unit test is usually a test against a specific PHP class. If you want to test the overall behavior of your
application, see the section about Functional Tests.
Writing Symfony unit tests is no different than writing standard PHPUnit unit tests. Suppose, for
example, that you have an incredibly simple class called Calculator in the Utility/ directory of your
bundle:
Listing 10-2

1
2
3
4
5
6
7
8
9
10

// src/Acme/DemoBundle/Utility/Calculator.php
namespace Acme\DemoBundle\Utility;
class Calculator
{
public function add($a, $b)
{
return $a + $b;
}
}

To test this, create a CalculatorTest file in the Tests/Utility directory of your bundle:
Listing 10-3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// src/Acme/DemoBundle/Tests/Utility/CalculatorTest.php
namespace Acme\DemoBundle\Tests\Utility;
use Acme\DemoBundle\Utility\Calculator;
class CalculatorTest extends \PHPUnit_Framework_TestCase
{
public function testAdd()
{
$calc = new Calculator();
$result = $calc->add(30, 12);

// assert that your calculator added the numbers correctly!
$this->assertEquals(42, $result);
}
}

By convention, the Tests/ sub-directory should replicate the directory of your bundle. So, if you're
testing a class in your bundle's Utility/ directory, put the test in the Tests/Utility/ directory.

Just like in your real application - autoloading is automatically enabled via the bootstrap.php.cache file
(as configured by default in the app/phpunit.xml.dist file).
Running tests for a given file or directory is also very easy:
Listing 10-4

1
2
3
4
5
6
7
8

# run all tests in the Utility directory
$ phpunit -c app src/Acme/DemoBundle/Tests/Utility/
# run tests for the Calculator class
$ phpunit -c app src/Acme/DemoBundle/Tests/Utility/CalculatorTest.php
# run all tests for the entire Bundle
$ phpunit -c app src/Acme/DemoBundle/

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 123

Functional Tests
Functional tests check the integration of the different layers of an application (from the routing to the
views). They are no different from unit tests as far as PHPUnit is concerned, but they have a very specific
workflow:






Make a request;
Test the response;
Click on a link or submit a form;
Test the response;
Rinse and repeat.

Your First Functional Test
Functional tests are simple PHP files that typically live in the Tests/Controller directory of your
bundle. If you want to test the pages handled by your DemoController class, start by creating a new
DemoControllerTest.php file that extends a special WebTestCase class.
For example, the Symfony Standard Edition provides a simple functional test for its DemoController
(DemoControllerTest2) that reads as follows:
Listing 10-5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

// src/Acme/DemoBundle/Tests/Controller/DemoControllerTest.php
namespace Acme\DemoBundle\Tests\Controller;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
class DemoControllerTest extends WebTestCase
{
public function testIndex()
{
$client = static::createClient();
$crawler = $client->request('GET', '/demo/hello/Fabien');
$this->assertGreaterThan(
0,
$crawler->filter('html:contains("Hello Fabien")')->count()
);
}
}

2. https://github.com/sensiolabs/SensioDistributionBundle/blob/master/Resources/skeleton/acme-demo-bundle/Acme/DemoBundle/Tests/
Controller/DemoControllerTest.php

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 124

To run your functional tests, the WebTestCase class bootstraps the kernel of your application. In
most cases, this happens automatically. However, if your kernel is in a non-standard directory,
you'll need to modify your phpunit.xml.dist file to set the KERNEL_DIR environment variable to
the directory of your kernel:
Listing 10-6

1 <phpunit>
2
<!-- ... -->
3
<php>
4
<server name="KERNEL_DIR" value="/path/to/your/app/" />
5
</php>
6
<!-- ... -->
7 </phpunit>

The createClient() method returns a client, which is like a browser that you'll use to crawl your site:
Listing 10-7

1 $crawler = $client->request('GET', '/demo/hello/Fabien');

The request() method (see more about the request method) returns a Crawler3 object which can be used
to select elements in the Response, click on links, and submit forms.
The Crawler only works when the response is an XML or an HTML document. To get the raw
content response, call $client->getResponse()->getContent().

Click on a link by first selecting it with the Crawler using either an XPath expression or a CSS selector,
then use the Client to click on it. For example, the following code finds all links with the text Greet, then
selects the second one, and ultimately clicks on it:
Listing 10-8

1 $link = $crawler->filter('a:contains("Greet")')->eq(1)->link();
2
3 $crawler = $client->click($link);

Submitting a form is very similar; select a form button, optionally override some form values, and submit
the corresponding form:
Listing 10-9

1
2
3
4
5
6
7
8

$form = $crawler->selectButton('submit')->form();

// set some values
$form['name'] = 'Lucas';
$form['form_name[subject]'] = 'Hey there!';
// submit the form
$crawler = $client->submit($form);

The form can also handle uploads and contains methods to fill in different types of form fields (e.g.
select() and tick()). For details, see the Forms section below.

Now that you can easily navigate through an application, use assertions to test that it actually does what
you expect it to. Use the Crawler to make assertions on the DOM:
3. http://api.symfony.com/2.3/Symfony/Component/DomCrawler/Crawler.html

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 125

Listing 10-10

1 // Assert that the response matches a given CSS selector.
2 $this->assertGreaterThan(0, $crawler->filter('h1')->count());

Or, test against the Response content directly if you just want to assert that the content contains some
text, or if the Response is not an XML/HTML document:
Listing 10-11

1 $this->assertRegExp(
2
'/Hello Fabien/',
3
$client->getResponse()->getContent()
4 );

More about the request() Method:
The full signature of the request() method is:
Listing 10-12

1 request(
2
$method,
3
$uri,
4
array $parameters = array(),
5
array $files = array(),
6
array $server = array(),
7
$content = null,
8
$changeHistory = true
9 )

The server array is the raw values that you'd expect to normally find in the PHP $_SERVER4
superglobal. For example, to set the Content-Type, Referer and X-Requested-With HTTP
headers, you'd pass the following (mind the HTTP_ prefix for non standard headers):
Listing 10-13

1 $client->request(
2
'GET',
3
'/demo/hello/Fabien',
4
array(),
5
array(),
6
array(
7
'CONTENT_TYPE'
=> 'application/json',
8
'HTTP_REFERER'
=> '/foo/bar',
9
'HTTP_X-Requested-With' => 'XMLHttpRequest',
10
)
11 );

4. http://php.net/manual/en/reserved.variables.server.php

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 126

Useful Assertions
To get you started faster, here is a list of the most common and useful test assertions:
Listing 10-14

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

// Assert that there is at least one h2 tag
// with the class "subtitle"
$this->assertGreaterThan(
0,
$crawler->filter('h2.subtitle')->count()
);
// Assert that there are exactly 4 h2 tags on the page
$this->assertCount(4, $crawler->filter('h2'));
// Assert that the "Content-Type" header is "application/json"
$this->assertTrue(
$client->getResponse()->headers->contains(
'Content-Type',
'application/json'
)
);
// Assert that the response content matches a regexp.
$this->assertRegExp('/foo/', $client->getResponse()->getContent());
// Assert that the response status code is 2xx
$this->assertTrue($client->getResponse()->isSuccessful());
// Assert that the response status code is 404
$this->assertTrue($client->getResponse()->isNotFound());
// Assert a specific 200 status code
$this->assertEquals(
200,
$client->getResponse()->getStatusCode()
);
// Assert that the response is a redirect to /demo/contact
$this->assertTrue(
$client->getResponse()->isRedirect('/demo/contact')
);
// or simply check that the response is a redirect to any URL
$this->assertTrue($client->getResponse()->isRedirect());

Working with the Test Client
The Test Client simulates an HTTP client like a browser and makes requests into your Symfony
application:
Listing 10-15

1 $crawler = $client->request('GET', '/hello/Fabien');

The request() method takes the HTTP method and a URL as arguments and returns a Crawler
instance.
Hardcoding the request URLs is a best practice for functional tests. If the test generates URLs using
the Symfony router, it won't detect any change made to the application URLs which may impact
the end users.

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 127

Use the Crawler to find DOM elements in the Response. These elements can then be used to click on
links and submit forms:
Listing 10-16

1
2
3
4
5

$link = $crawler->selectLink('Go elsewhere...')->link();
$crawler = $client->click($link);
$form = $crawler->selectButton('validate')->form();
$crawler = $client->submit($form, array('name' => 'Fabien'));

The click() and submit() methods both return a Crawler object. These methods are the best way to
browse your application as it takes care of a lot of things for you, like detecting the HTTP method from
a form and giving you a nice API for uploading files.
You will learn more about the Link and Form objects in the Crawler section below.

The request method can also be used to simulate form submissions directly or perform more complex
requests:
Listing 10-17

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

// Directly submit a form (but using the Crawler is easier!)
$client->request('POST', '/submit', array('name' => 'Fabien'));
// Submit a raw JSON string in the request body
$client->request(
'POST',
'/submit',
array(),
array(),
array('CONTENT_TYPE' => 'application/json'),
'{"name":"Fabien"}'
);
// Form submission with a file upload
use Symfony\Component\HttpFoundation\File\UploadedFile;
$photo = new UploadedFile(
'/path/to/photo.jpg',
'photo.jpg',
'image/jpeg',
123
);
$client->request(
'POST',
'/submit',
array('name' => 'Fabien'),
array('photo' => $photo)
);

// Perform a DELETE requests, and pass HTTP headers
$client->request(
'DELETE',
'/post/12',
array(),
array(),
array('PHP_AUTH_USER' => 'username', 'PHP_AUTH_PW' => 'pa$$word')
);

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 128

Last but not least, you can force each request to be executed in its own PHP process to avoid any sideeffects when working with several clients in the same script:
Listing 10-18

1 $client->insulate();

Browsing
The Client supports many operations that can be done in a real browser:
Listing 10-19

1
2
3
4
5
6

$client->back();
$client->forward();
$client->reload();

// Clears all cookies and the history
$client->restart();

Accessing internal Objects
New in version 2.3: The getInternalRequest()5 and getInternalResponse()6 methods were
introduced in Symfony 2.3.

If you use the client to test your application, you might want to access the client's internal objects:
Listing 10-20

1 $history
= $client->getHistory();
2 $cookieJar = $client->getCookieJar();

You can also get the objects related to the latest request:
Listing 10-21

1
2
3
4
5
6
7
8
9
10
11
12
13

// the HttpKernel request instance
$request = $client->getRequest();
// the BrowserKit request instance
$request = $client->getInternalRequest();
// the HttpKernel response instance
$response = $client->getResponse();
// the BrowserKit response instance
$response = $client->getInternalResponse();
$crawler

= $client->getCrawler();

If your requests are not insulated, you can also access the Container and the Kernel:
Listing 10-22

1 $container = $client->getContainer();
2 $kernel
= $client->getKernel();

5. http://api.symfony.com/2.3/Symfony/Component/BrowserKit/Client.html#getInternalRequest()
6. http://api.symfony.com/2.3/Symfony/Component/BrowserKit/Client.html#getInternalResponse()

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 129

Accessing the Container
It's highly recommended that a functional test only tests the Response. But under certain very rare
circumstances, you might want to access some internal objects to write assertions. In such cases, you can
access the dependency injection container:
Listing 10-23

1 $container = $client->getContainer();

Be warned that this does not work if you insulate the client or if you use an HTTP layer. For a list of
services available in your application, use the container:debug console task.
If the information you need to check is available from the profiler, use it instead.

Accessing the Profiler Data
On each request, you can enable the Symfony profiler to collect data about the internal handling of that
request. For example, the profiler could be used to verify that a given page executes less than a certain
number of database queries when loading.
To get the Profiler for the last request, do the following:
Listing 10-24

1
2
3
4
5
6
7

// enable the profiler for the very next request
$client->enableProfiler();
$crawler = $client->request('GET', '/profiler');

// get the profile
$profile = $client->getProfile();

For specific details on using the profiler inside a test, see the How to Use the Profiler in a Functional Test
cookbook entry.

Redirecting
When a request returns a redirect response, the client does not follow it automatically. You can examine
the response and force a redirection afterwards with the followRedirect() method:
Listing 10-25

1 $crawler = $client->followRedirect();

If you want the client to automatically follow all redirects, you can force him with the
followRedirects() method:
Listing 10-26

1 $client->followRedirects();

If you pass false to the followRedirects() method, the redirects will no longer be followed:
Listing 10-27

1 $client->followRedirects(false);

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 130

The Crawler
A Crawler instance is returned each time you make a request with the Client. It allows you to traverse
HTML documents, select nodes, find links and forms.

Traversing
Like jQuery, the Crawler has methods to traverse the DOM of an HTML/XML document. For example,
the following finds all input[type=submit] elements, selects the last one on the page, and then selects
its immediate parent element:
Listing 10-28

1 $newCrawler = $crawler->filter('input[type=submit]')
2
->last()
3
->parents()
4
->first()
5 ;

Many other methods are also available:
Method

Description

filter('h1.title')

Nodes that match the CSS selector

filterXpath('h1')

Nodes that match the XPath expression

eq(1)

Node for the specified index

first()

First node

last()

Last node

siblings()

Siblings

nextAll()

All following siblings

previousAll()

All preceding siblings

parents()

Returns the parent nodes

children()

Returns children nodes

reduce($lambda)

Nodes for which the callable does not return false

Since each of these methods returns a new Crawler instance, you can narrow down your node selection
by chaining the method calls:
Listing 10-29

1 $crawler
2
->filter('h1')
3
->reduce(function ($node, $i) {
4
if (!$node->getAttribute('class')) {
5
return false;
6
}
7
})
8
->first();

Use the count() function to get the number of nodes stored in a Crawler: count($crawler)

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 131

Extracting Information
The Crawler can extract information from the nodes:
Listing 10-30

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// Returns the attribute value for the first node
$crawler->attr('class');
// Returns the node value for the first node
$crawler->text();
// Extracts an array of attributes for all nodes
// (_text returns the node value)
// returns an array for each element in crawler,
// each with the value and href
$info = $crawler->extract(array('_text', 'href'));
// Executes a lambda for each node and return an array of results
$data = $crawler->each(function ($node, $i) {
return $node->attr('href');
});

Links
To select links, you can use the traversing methods above or the convenient selectLink() shortcut:
Listing 10-31

1 $crawler->selectLink('Click here');

This selects all links that contain the given text, or clickable images for which the alt attribute contains
the given text. Like the other filtering methods, this returns another Crawler object.
Once you've selected a link, you have access to a special Link object, which has helpful methods specific
to links (such as getMethod() and getUri()). To click on the link, use the Client's click() method and
pass it a Link object:
Listing 10-32

1 $link = $crawler->selectLink('Click here')->link();
2
3 $client->click($link);

Forms
Just like links, you select forms with the selectButton() method:
Listing 10-33

1 $buttonCrawlerNode = $crawler->selectButton('submit');

Notice that you select form buttons and not forms as a form can have several buttons; if you use
the traversing API, keep in mind that you must look for a button.

The selectButton() method can select button tags and submit input tags. It uses several different parts
of the buttons to find them:
• The value attribute value;
• The id or alt attribute value for images;
• The id or name attribute value for button tags.
PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 132

Once you have a Crawler representing a button, call the form() method to get a Form instance for the
form wrapping the button node:
Listing 10-34

1 $form = $buttonCrawlerNode->form();

When calling the form() method, you can also pass an array of field values that overrides the default
ones:
Listing 10-35

1 $form = $buttonCrawlerNode->form(array(
2
'name'
=> 'Fabien',
3
'my_form[subject]' => 'Symfony rocks!',
4 ));

And if you want to simulate a specific HTTP method for the form, pass it as a second argument:
Listing 10-36

1 $form = $buttonCrawlerNode->form(array(), 'DELETE');

The Client can submit Form instances:
Listing 10-37

1 $client->submit($form);

The field values can also be passed as a second argument of the submit() method:
Listing 10-38

1 $client->submit($form, array(
2
'name'
=> 'Fabien',
3
'my_form[subject]' => 'Symfony rocks!',
4 ));

For more complex situations, use the Form instance as an array to set the value of each field individually:
Listing 10-39

1 // Change the value of a field
2 $form['name'] = 'Fabien';
3 $form['my_form[subject]'] = 'Symfony rocks!';

There is also a nice API to manipulate the values of the fields according to their type:
Listing 10-40

1
2
3
4
5
6
7
8

// Select an option or a radio
$form['country']->select('France');
// Tick a checkbox
$form['like_symfony']->tick();
// Upload a file
$form['photo']->upload('/path/to/lucas.jpg');

You can get the values that will be submitted by calling the getValues() method on the Form
object. The uploaded files are available in a separate array returned by getFiles(). The
getPhpValues() and getPhpFiles() methods also return the submitted values, but in the PHP
format (it converts the keys with square brackets notation - e.g. my_form[subject] - to PHP
arrays).

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 133

Testing Configuration
The Client used by functional tests creates a Kernel that runs in a special test environment. Since
Symfony loads the app/config/config_test.yml in the test environment, you can tweak any of your
application's settings specifically for testing.
For example, by default, the Swift Mailer is configured to not actually deliver emails in the test
environment. You can see this under the swiftmailer configuration option:
Listing 10-41

1 # app/config/config_test.yml
2
3 # ...
4 swiftmailer:
5
disable_delivery: true

You can also use a different environment entirely, or override the default debug mode (true) by passing
each as options to the createClient() method:
Listing 10-42

1 $client = static::createClient(array(
2
'environment' => 'my_test_env',
3
'debug'
=> false,
4 ));

If your application behaves according to some HTTP headers, pass them as the second argument of
createClient():
Listing 10-43

1 $client = static::createClient(array(), array(
2
'HTTP_HOST'
=> 'en.example.com',
3
'HTTP_USER_AGENT' => 'MySuperBrowser/1.0',
4 ));

You can also override HTTP headers on a per request basis:
Listing 10-44

1 $client->request('GET', '/', array(), array(), array(
2
'HTTP_HOST'
=> 'en.example.com',
3
'HTTP_USER_AGENT' => 'MySuperBrowser/1.0',
4 ));

The test client is available as a service in the container in the test environment (or wherever the
framework.test option is enabled). This means you can override the service entirely if you need to.

PHPUnit Configuration
Each application has its own PHPUnit configuration, stored in the app/phpunit.xml.dist file. You can
edit this file to change the defaults or create an app/phpunit.xml file to setup a configuration for your
local machine only.
Store the app/phpunit.xml.dist file in your code repository and ignore the app/phpunit.xml
file.

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 134

By default, only the tests from your own custom bundles stored in the standard directories src/*/
*Bundle/Tests or src/*/Bundle/*Bundle/Tests are run by the phpunit command, as configured in
the app/phpunit.xml.dist file:
Listing 10-45

1 <!-- app/phpunit.xml.dist -->
2 <phpunit>
3
<!-- ... -->
4
<testsuites>
5
<testsuite name="Project Test Suite">
6
<directory>../src/*/*Bundle/Tests</directory>
7
<directory>../src/*/Bundle/*Bundle/Tests</directory>
8
</testsuite>
9
</testsuites>
10
<!-- ... -->
11 </phpunit>

But you can easily add more directories. For instance, the following configuration adds tests from a
custom lib/tests directory:
Listing 10-46

1 <!-- app/phpunit.xml.dist -->
2 <phpunit>
3
<!-- ... -->
4
<testsuites>
5
<testsuite name="Project Test Suite">
6
<!-- ... --->
7
<directory>../lib/tests</directory>
8
</testsuite>
9
</testsuites>
10
<!-- ... --->
11 </phpunit>

To include other directories in the code coverage, also edit the <filter> section:
Listing 10-47

1 <!-- app/phpunit.xml.dist -->
2 <phpunit>
3
<!-- ... -->
4
<filter>
5
<whitelist>
6
<!-- ... -->
7
<directory>../lib</directory>
8
<exclude>
9
<!-- ... -->
10
<directory>../lib/tests</directory>
11
</exclude>
12
</whitelist>
13
</filter>
14
<!-- ... --->
15 </phpunit>

Learn more






The DomCrawler Component
The CssSelector Component
How to Simulate HTTP Authentication in a Functional Test
How to Test the Interaction of several Clients
How to Use the Profiler in a Functional Test

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 135

• How to Customize the Bootstrap Process before Running Tests

PDF brought to you by
generated on October 9, 2014

Chapter 10: Testing | 136

Chapter 11

Validation
Validation is a very common task in web applications. Data entered in forms needs to be validated. Data
also needs to be validated before it is written into a database or passed to a web service.
Symfony ships with a Validator1 component that makes this task easy and transparent. This component
is based on the JSR303 Bean Validation specification2.

The Basics of Validation
The best way to understand validation is to see it in action. To start, suppose you've created a plain-oldPHP object that you need to use somewhere in your application:
Listing 11-1

1
2
3
4
5
6
7

// src/Acme/BlogBundle/Entity/Author.php
namespace Acme\BlogBundle\Entity;
class Author
{
public $name;
}

So far, this is just an ordinary class that serves some purpose inside your application. The goal of
validation is to tell you whether or not the data of an object is valid. For this to work, you'll configure a list
of rules (called constraints) that the object must follow in order to be valid. These rules can be specified
via a number of different formats (YAML, XML, annotations, or PHP).
For example, to guarantee that the $name property is not empty, add the following:
Listing 11-2

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\Author:
3
properties:
4
name:
5
- NotBlank: ~

1. https://github.com/symfony/Validator
2. http://jcp.org/en/jsr/detail?id=303

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 137

Protected and private properties can also be validated, as well as "getter" methods (see Constraint
Targets).

Using the validator Service
Next, to actually validate an Author object, use the validate method on the validator service (class
Validator3). The job of the validator is easy: to read the constraints (i.e. rules) of a class and verify
whether or not the data on the object satisfies those constraints. If validation fails, a non-empty list of
errors (class ConstraintViolationList4) is returned. Take this simple example from inside a controller:
Listing 11-3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

// ...
use Symfony\Component\HttpFoundation\Response;
use Acme\BlogBundle\Entity\Author;
public function indexAction()
{
$author = new Author();
// ... do something to the $author object
$validator = $this->get('validator');
$errors = $validator->validate($author);
if (count($errors) > 0) {
/*
* Uses a __toString method on the $errors variable which is a
* ConstraintViolationList object. This gives us a nice string
* for debugging
*/
$errorsString = (string) $errors;
return new Response($errorsString);
}
return new Response('The author is valid! Yes!');
}

If the $name property is empty, you will see the following error message:
Listing 11-4

1 Acme\BlogBundle\Author.name:
2
This value should not be blank

If you insert a value into the name property, the happy success message will appear.
Most of the time, you won't interact directly with the validator service or need to worry about
printing out the errors. Most of the time, you'll use validation indirectly when handling submitted
form data. For more information, see the Validation and Forms.

You could also pass the collection of errors into a template.
Listing 11-5

3. http://api.symfony.com/2.3/Symfony/Component/Validator/Validator.html
4. http://api.symfony.com/2.3/Symfony/Component/Validator/ConstraintViolationList.html

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 138

1 if (count($errors) > 0) {
2
return $this->render('AcmeBlogBundle:Author:validate.html.twig', array(
3
'errors' => $errors,
4
));
5 }

Inside the template, you can output the list of errors exactly as needed:
Listing 11-6

1
2
3
4
5
6
7

{# src/Acme/BlogBundle/Resources/views/Author/validate.html.twig #}
<h3>The author has the following errors</h3>
<ul>
{% for error in errors %}
<li>{{ error.message }}</li>
{% endfor %}
</ul>

Each validation error (called a "constraint violation"), is represented by a ConstraintViolation5
object.

Validation and Forms
The validator service can be used at any time to validate any object. In reality, however, you'll
usually work with the validator indirectly when working with forms. Symfony's form library uses the
validator service internally to validate the underlying object after values have been submitted. The
constraint violations on the object are converted into FieldError objects that can easily be displayed
with your form. The typical form submission workflow looks like the following from inside a controller:
Listing 11-7

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

// ...
use Acme\BlogBundle\Entity\Author;
use Acme\BlogBundle\Form\AuthorType;
use Symfony\Component\HttpFoundation\Request;
public function updateAction(Request $request)
{
$author = new Author();
$form = $this->createForm(new AuthorType(), $author);
$form->handleRequest($request);
if ($form->isValid()) {
// the validation passed, do something with the $author object
return $this->redirect($this->generateUrl(...));
}
return $this->render('BlogBundle:Author:form.html.twig', array(
'form' => $form->createView(),
));
}

5. http://api.symfony.com/2.3/Symfony/Component/Validator/ConstraintViolation.html

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 139

This example uses an AuthorType form class, which is not shown here.

For more information, see the Forms chapter.

Configuration
The Symfony validator is enabled by default, but you must explicitly enable annotations if you're using
the annotation method to specify your constraints:
Listing 11-8

1 # app/config/config.yml
2 framework:
3
validation: { enable_annotations: true }

Constraints
The validator is designed to validate objects against constraints (i.e. rules). In order to validate an
object, simply map one or more constraints to its class and then pass it to the validator service.
Behind the scenes, a constraint is simply a PHP object that makes an assertive statement. In real life,
a constraint could be: "The cake must not be burned". In Symfony, constraints are similar: they are
assertions that a condition is true. Given a value, a constraint will tell you whether or not that value
adheres to the rules of the constraint.

Supported Constraints
Symfony packages a large number of the most commonly-needed constraints:

Basic Constraints
These are the basic constraints: use them to assert very basic things about the value of properties or the
return value of methods on your object.








NotBlank
Blank
NotNull
Null
True
False
Type

String Constraints






Email
Length
Url
Regex
Ip

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 140

Number Constraints
• Range

Comparison Constraints









EqualTo
NotEqualTo
IdenticalTo
NotIdenticalTo
LessThan
LessThanOrEqual
GreaterThan
GreaterThanOrEqual

Date Constraints
• Date
• DateTime
• Time

Collection Constraints








Choice
Collection
Count
UniqueEntity
Language
Locale
Country

File Constraints
• File
• Image

Financial and other Number Constraints







CardScheme
Currency
Luhn
Iban
Isbn
Issn

Other Constraints





Callback
All
UserPassword
Valid

You can also create your own custom constraints. This topic is covered in the "How to Create a custom
Validation Constraint" article of the cookbook.
PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 141

Constraint Configuration
Some constraints, like NotBlank, are simple whereas others, like the Choice constraint, have several
configuration options available. Suppose that the Author class has another property, gender that can be
set to either "male" or "female":
Listing 11-9

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\Author:
3
properties:
4
gender:
5
- Choice: { choices: [male, female], message: Choose a valid gender. }

The options of a constraint can always be passed in as an array. Some constraints, however, also allow
you to pass the value of one, "default", option in place of the array. In the case of the Choice constraint,
the choices options can be specified in this way.
Listing 11-10

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\Author:
3
properties:
4
gender:
5
- Choice: [male, female]

This is purely meant to make the configuration of the most common option of a constraint shorter and
quicker.
If you're ever unsure of how to specify an option, either check the API documentation for the constraint
or play it safe by always passing in an array of options (the first method shown above).

Translation Constraint Messages
For information on translating the constraint messages, see Translating Constraint Messages.

Constraint Targets
Constraints can be applied to a class property (e.g. name) or a public getter method (e.g. getFullName).
The first is the most common and easy to use, but the second allows you to specify more complex
validation rules.

Properties
Validating class properties is the most basic validation technique. Symfony allows you to validate private,
protected or public properties. The next listing shows you how to configure the $firstName property of
an Author class to have at least 3 characters.
Listing 11-11

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\Author:
3
properties:
4
firstName:
5
- NotBlank: ~
6
- Length:
7
min: 3

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 142

Getters
Constraints can also be applied to the return value of a method. Symfony allows you to add a constraint
to any public method whose name starts with "get" or "is". In this guide, both of these types of methods
are referred to as "getters".
The benefit of this technique is that it allows you to validate your object dynamically. For example,
suppose you want to make sure that a password field doesn't match the first name of the user (for security
reasons). You can do this by creating an isPasswordLegal method, and then asserting that this method
must return true:
Listing 11-12

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\Author:
3
getters:
4
passwordLegal:
5
- "True": { message: "The password cannot match your first name" }

Now, create the isPasswordLegal() method, and include the logic you need:
Listing 11-13

1 public function isPasswordLegal()
2 {
3
return $this->firstName != $this->password;
4 }

The keen-eyed among you will have noticed that the prefix of the getter ("get" or "is") is omitted
in the mapping. This allows you to move the constraint to a property with the same name later (or
vice versa) without changing your validation logic.

Classes
Some constraints apply to the entire class being validated. For example, the Callback constraint is a
generic constraint that's applied to the class itself. When that class is validated, methods specified by that
constraint are simply executed so that each can provide more custom validation.

Validation Groups
So far, you've been able to add constraints to a class and ask whether or not that class passes all of
the defined constraints. In some cases, however, you'll need to validate an object against only some of
the constraints on that class. To do this, you can organize each constraint into one or more "validation
groups", and then apply validation against just one group of constraints.
For example, suppose you have a User class, which is used both when a user registers and when a user
updates their contact information later:
Listing 11-14

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\User:
3
properties:
4
email:
5
- Email: { groups: [registration] }
6
password:
7
- NotBlank: { groups: [registration] }
8
- Length: { min: 7, groups: [registration] }
9
city:

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 143

10
11

- Length:
min: 2

With this configuration, there are three validation groups:
• Default - contains the constraints in the current class and all referenced classes that belong to
no other group;
• User - equivalent to all constraints of the User object in the Default group;
• registration - contains the constraints on the email and password fields only.
To tell the validator to use a specific group, pass one or more group names as the second argument to the
validate() method:
Listing 11-15

1 $errors = $validator->validate($author, array('registration'));

If no groups are specified, all constraints that belong in group Default will be applied.
Of course, you'll usually work with validation indirectly through the form library. For information on
how to use validation groups inside forms, see Validation Groups.

Group Sequence
In some cases, you want to validate your groups by steps. To do this, you can use the GroupSequence
feature. In this case, an object defines a group sequence, which determines the order groups should be
validated.
For example, suppose you have a User class and want to validate that the username and the password
are different only if all other validation passes (in order to avoid multiple error messages).
Listing 11-16

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\User:
3
group_sequence:
4
- User
5
- Strict
6
getters:
7
passwordLegal:
8
- "True":
9
message: "The password cannot match your username"
10
groups: [Strict]
11
properties:
12
username:
13
- NotBlank: ~
14
password:
15
- NotBlank: ~

In this example, it will first validate all constraints in the group User (which is the same as the Default
group). Only if all constraints in that group are valid, the second group, Strict, will be validated.

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 144

As you have already seen in the previous section, the Default group and the group containing the
class name (e.g. User) were identical. However, when using Group Sequences, they are no longer
identical. The Default group will now reference the group sequence, instead of all constraints that
do not belong to any group.
This means that you have to use the {ClassName} (e.g. User) group when specifying a group
sequence. When using Default, you get an infinite recursion (as the Default group references the
group sequence, which will contain the Default group which references the same group sequence,
...).

Group Sequence Providers
Imagine a User entity which can be a normal user or a premium user. When it's a premium user,
some extra constraints should be added to the user entity (e.g. the credit card details). To dynamically
determine which groups should be activated, you can create a Group Sequence Provider. First, create the
entity and a new constraint group called Premium:
Listing 11-17

1 # src/Acme/DemoBundle/Resources/config/validation.yml
2 Acme\DemoBundle\Entity\User:
3
properties:
4
name:
5
- NotBlank: ~
6
creditCard:
7
- CardScheme:
8
schemes: [VISA]
9
groups: [Premium]

Now, change the User class to implement GroupSequenceProviderInterface6 and add the
getGroupSequence()7, which should return an array of groups to use:
Listing 11-18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

// src/Acme/DemoBundle/Entity/User.php
namespace Acme\DemoBundle\Entity;
// ...
use Symfony\Component\Validator\GroupSequenceProviderInterface;
class User implements GroupSequenceProviderInterface
{
// ...
public function getGroupSequence()
{
$groups = array('User');
if ($this->isPremium()) {
$groups[] = 'Premium';
}
return $groups;
}
}

At last, you have to notify the Validator component that your User class provides a sequence of groups
to be validated:
6. http://api.symfony.com/2.3/Symfony/Component/Validator/GroupSequenceProviderInterface.html
7. http://api.symfony.com/2.3/Symfony/Component/Validator/GroupSequenceProviderInterface.html#getGroupSequence()

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 145

Listing 11-19

1 # src/Acme/DemoBundle/Resources/config/validation.yml
2 Acme\DemoBundle\Entity\User:
3
group_sequence_provider: true

Validating Values and Arrays
So far, you've seen how you can validate entire objects. But sometimes, you just want to validate a simple
value - like to verify that a string is a valid email address. This is actually pretty easy to do. From inside a
controller, it looks like this:
Listing 11-20

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

use Symfony\Component\Validator\Constraints\Email;
// ...
public function addEmailAction($email)
{
$emailConstraint = new Email();
// all constraint "options" can be set this way
$emailConstraint->message = 'Invalid email address';

// use the validator to validate the value
$errorList = $this->get('validator')->validateValue(
$email,
$emailConstraint
);
if (count($errorList) == 0) {
// this IS a valid email address, do something
} else {
// this is *not* a valid email address
$errorMessage = $errorList[0]->getMessage();

// ... do something with the error
}

// ...
}

By calling validateValue on the validator, you can pass in a raw value and the constraint object that you
want to validate that value against. A full list of the available constraints - as well as the full class name
for each constraint - is available in the constraints reference section .
The validateValue method returns a ConstraintViolationList8 object, which acts just like an array
of errors. Each error in the collection is a ConstraintViolation9 object, which holds the error message
on its getMessage method.

Final Thoughts
The Symfony validator is a powerful tool that can be leveraged to guarantee that the data of any
object is "valid". The power behind validation lies in "constraints", which are rules that you can apply
to properties or getter methods of your object. And while you'll most commonly use the validation
framework indirectly when using forms, remember that it can be used anywhere to validate any object.
8. http://api.symfony.com/2.3/Symfony/Component/Validator/ConstraintViolationList.html
9. http://api.symfony.com/2.3/Symfony/Component/Validator/ConstraintViolation.html

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 146

Learn more from the Cookbook
• How to Create a custom Validation Constraint

PDF brought to you by
generated on October 9, 2014

Chapter 11: Validation | 147

Chapter 12

Forms
Dealing with HTML forms is one of the most common - and challenging - tasks for a web developer.
Symfony integrates a Form component that makes dealing with forms easy. In this chapter, you'll build
a complex form from the ground-up, learning the most important features of the form library along the
way.
The Symfony Form component is a standalone library that can be used outside of Symfony
projects. For more information, see the Symfony Form component1 on GitHub.

Creating a Simple Form
Suppose you're building a simple todo list application that will need to display "tasks". Because your users
will need to edit and create tasks, you're going to need to build a form. But before you begin, first focus
on the generic Task class that represents and stores the data for a single task:
Listing 12-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

// src/Acme/TaskBundle/Entity/Task.php
namespace Acme\TaskBundle\Entity;
class Task
{
protected $task;
protected $dueDate;
public function getTask()
{
return $this->task;
}
public function setTask($task)

1. https://github.com/symfony/Form

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 148

16
17
18
19
20
21
22
23
24
25
26
27
28
29 }

{
$this->task = $task;
}
public function getDueDate()
{
return $this->dueDate;
}
public function setDueDate(\DateTime $dueDate = null)
{
$this->dueDate = $dueDate;
}

If you're coding along with this example, create the AcmeTaskBundle first by running the following
command (and accepting all of the default options):
Listing 12-2

1 $ php app/console generate:bundle --namespace=Acme/TaskBundle

This class is a "plain-old-PHP-object" because, so far, it has nothing to do with Symfony or any other
library. It's quite simply a normal PHP object that directly solves a problem inside your application (i.e.
the need to represent a task in your application). Of course, by the end of this chapter, you'll be able to
submit data to a Task instance (via an HTML form), validate its data, and persist it to the database.

Building the Form
Now that you've created a Task class, the next step is to create and render the actual HTML form. In
Symfony, this is done by building a form object and then rendering it in a template. For now, this can all
be done from inside a controller:
Listing 12-3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

// src/Acme/TaskBundle/Controller/DefaultController.php
namespace Acme\TaskBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Acme\TaskBundle\Entity\Task;
use Symfony\Component\HttpFoundation\Request;
class DefaultController extends Controller
{
public function newAction(Request $request)
{
// create a task and give it some dummy data for this example
$task = new Task();
$task->setTask('Write a blog post');
$task->setDueDate(new \DateTime('tomorrow'));
$form = $this->createFormBuilder($task)
->add('task', 'text')
->add('dueDate', 'date')
->add('save', 'submit', array('label' => 'Create Post'))
->getForm();
return $this->render('AcmeTaskBundle:Default:new.html.twig', array(

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 149

24
25
26
27 }

'form' => $form->createView(),
));
}

This example shows you how to build your form directly in the controller. Later, in the "Creating
Form Classes" section, you'll learn how to build your form in a standalone class, which is
recommended as your form becomes reusable.

Creating a form requires relatively little code because Symfony form objects are built with a "form
builder". The form builder's purpose is to allow you to write simple form "recipes", and have it do all the
heavy-lifting of actually building the form.
In this example, you've added two fields to your form - task and dueDate - corresponding to the task
and dueDate properties of the Task class. You've also assigned each a "type" (e.g. text, date), which,
among other things, determines which HTML form tag(s) is rendered for that field.
Finally, you added a submit button with a custom label for submitting the form to the server.
New in version 2.3: Support for submit buttons was introduced in Symfony 2.3. Before that, you
had to add buttons to the form's HTML manually.

Symfony comes with many built-in types that will be discussed shortly (see Built-in Field Types).

Rendering the Form
Now that the form has been created, the next step is to render it. This is done by passing a special form
"view" object to your template (notice the $form->createView() in the controller above) and using a set
of form helper functions:
Listing 12-4

1 {# src/Acme/TaskBundle/Resources/views/Default/new.html.twig #}
2
3 {{ form(form) }}

This example assumes that you submit the form in a "POST" request and to the same URL that it
was displayed in. You will learn later how to change the request method and the target URL of the
form.

That's it! By printing form(form), each field in the form is rendered, along with a label and error message
(if there is one). The form function also surrounds everything in the necessary HTML <form> tag. As easy
PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 150

as this is, it's not very flexible (yet). Usually, you'll want to render each form field individually so you can
control how the form looks. You'll learn how to do that in the "Rendering a Form in a Template" section.
Before moving on, notice how the rendered task input field has the value of the task property from the
$task object (i.e. "Write a blog post"). This is the first job of a form: to take data from an object and
translate it into a format that's suitable for being rendered in an HTML form.
The form system is smart enough to access the value of the protected task property via the
getTask() and setTask() methods on the Task class. Unless a property is public, it must have
a "getter" and "setter" method so that the Form component can get and put data onto the
property. For a Boolean property, you can use an "isser" or "hasser" method (e.g. isPublished()
or hasReminder()) instead of a getter (e.g. getPublished() or getReminder()).

Handling Form Submissions
The second job of a form is to translate user-submitted data back to the properties of an object. To
make this happen, the submitted data from the user must be written into the form. Add the following
functionality to your controller:
Listing 12-5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

// ...
use Symfony\Component\HttpFoundation\Request;
public function newAction(Request $request)
{
// just setup a fresh $task object (remove the dummy data)
$task = new Task();
$form = $this->createFormBuilder($task)
->add('task', 'text')
->add('dueDate', 'date')
->add('save', 'submit', array('label' => 'Create Post'))
->getForm();
$form->handleRequest($request);
if ($form->isValid()) {
// perform some action, such as saving the task to the database
return $this->redirect($this->generateUrl('task_success'));
}

// ...
}

New in version 2.3: The handleRequest()2 method was introduced in Symfony 2.3. Previously, the
$request was passed to the submit method - a strategy which is deprecated and will be removed
in Symfony 3.0. For details on that method, see Passing a Request to Form::submit() (Deprecated).

This controller follows a common pattern for handling forms, and has three possible paths:

2. http://api.symfony.com/2.3/Symfony/Component/Form/FormInterface.html#handleRequest()

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 151

1. When initially loading the page in a browser, the form is simply created and rendered.
handleRequest()3 recognizes that the form was not submitted and does nothing. isValid()4
returns false if the form was not submitted.
2. When the user submits the form, handleRequest()5 recognizes this and immediately writes the
submitted data back into the task and dueDate properties of the $task object. Then this object
is validated. If it is invalid (validation is covered in the next section), isValid()6 returns false
again, so the form is rendered together with all validation errors;
You can use the method isSubmitted()7 to check whether a form was submitted,
regardless of whether or not the submitted data is actually valid.

3. When the user submits the form with valid data, the submitted data is again written into the
form, but this time isValid()8 returns true. Now you have the opportunity to perform some
actions using the $task object (e.g. persisting it to the database) before redirecting the user to
some other page (e.g. a "thank you" or "success" page).
Redirecting a user after a successful form submission prevents the user from being able
to hit the "Refresh" button of their browser and re-post the data.

Submitting Forms with Multiple Buttons
New in version 2.3: Support for buttons in forms was introduced in Symfony 2.3.

When your form contains more than one submit button, you will want to check which of the buttons was
clicked to adapt the program flow in your controller. To do this, add a second button with the caption
"Save and add" to your form:
Listing 12-6

1 $form = $this->createFormBuilder($task)
2
->add('task', 'text')
3
->add('dueDate', 'date')
4
->add('save', 'submit', array('label' => 'Create Post'))
5
->add('saveAndAdd', 'submit', array('label' => 'Save and Add'))
6
->getForm();

In your controller, use the button's isClicked()9 method for querying if the "Save and add" button was
clicked:
Listing 12-7

1 if ($form->isValid()) {
2
// ... perform some action, such as saving the task to the database
3

3. http://api.symfony.com/2.3/Symfony/Component/Form/FormInterface.html#handleRequest()
4. http://api.symfony.com/2.3/Symfony/Component/Form/FormInterface.html#isValid()
5. http://api.symfony.com/2.3/Symfony/Component/Form/FormInterface.html#handleRequest()
6. http://api.symfony.com/2.3/Symfony/Component/Form/FormInterface.html#isValid()
7. http://api.symfony.com/2.3/Symfony/Component/Form/FormInterface.html#isSubmitted()
8. http://api.symfony.com/2.3/Symfony/Component/Form/FormInterface.html#isValid()
9. http://api.symfony.com/2.3/Symfony/Component/Form/ClickableInterface.html#isClicked()

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 152

4
5
6
7
8
9 }

$nextAction = $form->get('saveAndAdd')->isClicked()
? 'task_new'
: 'task_success';
return $this->redirect($this->generateUrl($nextAction));

Form Validation
In the previous section, you learned how a form can be submitted with valid or invalid data. In Symfony,
validation is applied to the underlying object (e.g. Task). In other words, the question isn't whether the
"form" is valid, but whether or not the $task object is valid after the form has applied the submitted data
to it. Calling $form->isValid() is a shortcut that asks the $task object whether or not it has valid data.
Validation is done by adding a set of rules (called constraints) to a class. To see this in action, add
validation constraints so that the task field cannot be empty and the dueDate field cannot be empty and
must be a valid DateTime object.
Listing 12-8

1 # Acme/TaskBundle/Resources/config/validation.yml
2 Acme\TaskBundle\Entity\Task:
3
properties:
4
task:
5
- NotBlank: ~
6
dueDate:
7
- NotBlank: ~
8
- Type: \DateTime

That's it! If you re-submit the form with invalid data, you'll see the corresponding errors printed out with
the form.

HTML5 Validation
As of HTML5, many browsers can natively enforce certain validation constraints on the client
side. The most common validation is activated by rendering a required attribute on fields that
are required. For browsers that support HTML5, this will result in a native browser message being
displayed if the user tries to submit the form with that field blank.
Generated forms take full advantage of this new feature by adding sensible HTML attributes
that trigger the validation. The client-side validation, however, can be disabled by adding the
novalidate attribute to the form tag or formnovalidate to the submit tag. This is especially useful
when you want to test your server-side validation constraints, but are being prevented by your
browser from, for example, submitting blank fields.
Listing 12-9

1 {# src/Acme/DemoBundle/Resources/views/Default/new.html.twig #}
2
3 {{ form(form, {'attr': {'novalidate': 'novalidate'}}) }}

Validation is a very powerful feature of Symfony and has its own dedicated chapter.

Validation Groups
If your object takes advantage of validation groups, you'll need to specify which validation group(s) your
form should use:
PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 153

Listing 12-10

1 $form = $this->createFormBuilder($users, array(
2
'validation_groups' => array('registration'),
3 ))->add(...);

If you're creating form classes (a good practice), then you'll need to add the following to the
setDefaultOptions() method:
Listing 12-11

1
2
3
4
5
6
7
8

use Symfony\Component\OptionsResolver\OptionsResolverInterface;
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'validation_groups' => array('registration'),
));
}

In both of these cases, only the registration validation group will be used to validate the underlying
object.

Disabling Validation
New in version 2.3: The ability to set validation_groups to false was introduced in Symfony 2.3.

Sometimes it is useful to suppress the validation of a form altogether. For these cases you can set the
validation_groups option to false:
Listing 12-12

1
2
3
4
5
6
7
8

use Symfony\Component\OptionsResolver\OptionsResolverInterface;
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'validation_groups' => false,
));
}

Note that when you do that, the form will still run basic integrity checks, for example whether an
uploaded file was too large or whether non-existing fields were submitted. If you want to suppress
validation, you can use the POST_SUBMIT event.

Groups based on the Submitted Data
If you need some advanced logic to determine the validation groups (e.g. based on submitted data), you
can set the validation_groups option to an array callback:
Listing 12-13

1 use Symfony\Component\OptionsResolver\OptionsResolverInterface;
2
3 public function setDefaultOptions(OptionsResolverInterface $resolver)
4 {
5
$resolver->setDefaults(array(
6
'validation_groups' => array(
7
'Acme\AcmeBundle\Entity\Client',

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 154

8
9
10
11 }

'determineValidationGroups',
),
));

This will call the static method determineValidationGroups() on the Client class after the form is
submitted, but before validation is executed. The Form object is passed as an argument to that method
(see next example). You can also define whole logic inline by using a Closure:
Listing 12-14

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

use Symfony\Component\Form\FormInterface;
use Symfony\Component\OptionsResolver\OptionsResolverInterface;
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'validation_groups' => function(FormInterface $form) {
$data = $form->getData();
if (Entity\Client::TYPE_PERSON == $data->getType()) {
return array('person');
} else {
return array('company');
}
},
));
}

Groups based on the Clicked Button
New in version 2.3: Support for buttons in forms was introduced in Symfony 2.3.

When your form contains multiple submit buttons, you can change the validation group depending on
which button is used to submit the form. For example, consider a form in a wizard that lets you advance
to the next step or go back to the previous step. Also assume that when returning to the previous step,
the data of the form should be saved, but not validated.
First, we need to add the two buttons to the form:
Listing 12-15

1 $form = $this->createFormBuilder($task)
2
// ...
3
->add('nextStep', 'submit')
4
->add('previousStep', 'submit')
5
->getForm();

Then, we configure the button for returning to the previous step to run specific validation groups. In this
example, we want it to suppress validation, so we set its validation_groups option to false:
Listing 12-16

1 $form = $this->createFormBuilder($task)
2
// ...
3
->add('previousStep', 'submit', array(
4
'validation_groups' => false,
5
))
6
->getForm();

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 155

Now the form will skip your validation constraints. It will still validate basic integrity constraints, such
as checking whether an uploaded file was too large or whether you tried to submit text in a number field.

Built-in Field Types
Symfony comes standard with a large group of field types that cover all of the common form fields and
data types you'll encounter:

Text Fields











text
textarea
email
integer
money
number
password
percent
search
url

Choice Fields








choice
entity
country
language
locale
timezone
currency

Date and Time Fields





date
datetime
time
birthday

Other Fields
• checkbox
• file
• radio

Field Groups
• collection
• repeated

Hidden Fields
• hidden
PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 156

Buttons
• button
• reset
• submit

Base Fields
• form
You can also create your own custom field types. This topic is covered in the "How to Create a Custom
Form Field Type" article of the cookbook.

Field Type Options
Each field type has a number of options that can be used to configure it. For example, the dueDate field
is currently being rendered as 3 select boxes. However, the date field can be configured to be rendered as
a single text box (where the user would enter the date as a string in the box):
Listing 12-17

1 ->add('dueDate', 'date', array('widget' => 'single_text'))

Each field type has a number of different options that can be passed to it. Many of these are specific to
the field type and details can be found in the documentation for each type.

The required Option
The most common option is the required option, which can be applied to any field. By default,
the required option is set to true, meaning that HTML5-ready browsers will apply client-side
validation if the field is left blank. If you don't want this behavior, either set the required option
on your field to false or disable HTML5 validation.
Also note that setting the required option to true will not result in server-side validation to be
applied. In other words, if a user submits a blank value for the field (either with an old browser or
web service, for example), it will be accepted as a valid value unless you use Symfony's NotBlank
or NotNull validation constraint.
In other words, the required option is "nice", but true server-side validation should always be
used.

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 157

The label Option
The label for the form field can be set using the label option, which can be applied to any field:
Listing 12-18

1 ->add('dueDate', 'date', array(
2
'widget' => 'single_text',
3
'label' => 'Due Date',
4 ))

The label for a field can also be set in the template rendering the form, see below. If you don't need
a label associated to your input, you can disable it by setting its value to false.

Field Type Guessing
Now that you've added validation metadata to the Task class, Symfony already knows a bit about your
fields. If you allow it, Symfony can "guess" the type of your field and set it up for you. In this example,
Symfony can guess from the validation rules that both the task field is a normal text field and the
dueDate field is a date field:
Listing 12-19

1 public function newAction()
2 {
3
$task = new Task();
4
5
$form = $this->createFormBuilder($task)
6
->add('task')
7
->add('dueDate', null, array('widget' => 'single_text'))
8
->add('save', 'submit')
9
->getForm();
10 }

The "guessing" is activated when you omit the second argument to the add() method (or if you pass null
to it). If you pass an options array as the third argument (done for dueDate above), these options are
applied to the guessed field.
If your form uses a specific validation group, the field type guesser will still consider all validation
constraints when guessing your field types (including constraints that are not part of the validation
group(s) being used).

Field Type Options Guessing
In addition to guessing the "type" for a field, Symfony can also try to guess the correct values of a number
of field options.
When these options are set, the field will be rendered with special HTML attributes that provide
for HTML5 client-side validation. However, it doesn't generate the equivalent server-side
constraints (e.g. Assert\Length). And though you'll need to manually add your server-side
validation, these field type options can then be guessed from that information.

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 158

• required: The required option can be guessed based on the validation rules (i.e. is the field
NotBlank or NotNull) or the Doctrine metadata (i.e. is the field nullable). This is very useful,
as your client-side validation will automatically match your validation rules.
• max_length: If the field is some sort of text field, then the max_length option can be guessed
from the validation constraints (if Length or Range is used) or from the Doctrine metadata (via
the field's length).
These field options are only guessed if you're using Symfony to guess the field type (i.e. omit or
pass null as the second argument to add()).

If you'd like to change one of the guessed values, you can override it by passing the option in the options
field array:
Listing 12-20

1 ->add('task', null, array('max_length' => 4))

Rendering a Form in a Template
So far, you've seen how an entire form can be rendered with just one line of code. Of course, you'll usually
need much more flexibility when rendering:
Listing 12-21

1 {# src/Acme/TaskBundle/Resources/views/Default/new.html.twig #}
2 {{ form_start(form) }}
3
{{ form_errors(form) }}
4
5
{{ form_row(form.task) }}
6
{{ form_row(form.dueDate) }}
7 {{ form_end(form) }}

Take a look at each part:
• form_start(form) - Renders the start tag of the form.
• form_errors(form) - Renders any errors global to the whole form (field-specific errors are
displayed next to each field);
• form_row(form.dueDate) - Renders the label, any errors, and the HTML form widget for the
given field (e.g. dueDate) inside, by default, a div element;
• form_end() - Renders the end tag of the form and any fields that have not yet been rendered.
This is useful for rendering hidden fields and taking advantage of the automatic CSRF
Protection.
The majority of the work is done by the form_row helper, which renders the label, errors and HTML
form widget of each field inside a div tag by default. In the Form Theming section, you'll learn how the
form_row output can be customized on many different levels.
You can access the current data of your form via form.vars.value:
Listing 12-22

1 {{ form.vars.value.task }}

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 159

Rendering each Field by Hand
The form_row helper is great because you can very quickly render each field of your form (and the
markup used for the "row" can be customized as well). But since life isn't always so simple, you can also
render each field entirely by hand. The end-product of the following is the same as when you used the
form_row helper:
Listing 12-23

1 {{ form_start(form) }}
2
{{ form_errors(form) }}
3
4
<div>
5
{{ form_label(form.task) }}
6
{{ form_errors(form.task) }}
7
{{ form_widget(form.task) }}
8
</div>
9
10
<div>
11
{{ form_label(form.dueDate) }}
12
{{ form_errors(form.dueDate) }}
13
{{ form_widget(form.dueDate) }}
14
</div>
15
16
<div>
17
{{ form_widget(form.save) }}
18
</div>
19
20 {{ form_end(form) }}

If the auto-generated label for a field isn't quite right, you can explicitly specify it:
Listing 12-24

1 {{ form_label(form.task, 'Task Description') }}

Some field types have additional rendering options that can be passed to the widget. These options are
documented with each type, but one common options is attr, which allows you to modify attributes on
the form element. The following would add the task_field class to the rendered input text field:
Listing 12-25

1 {{ form_widget(form.task, {'attr': {'class': 'task_field'}}) }}

If you need to render form fields "by hand" then you can access individual values for fields such as the
id, name and label. For example to get the id:
Listing 12-26

1 {{ form.task.vars.id }}

To get the value used for the form field's name attribute you need to use the full_name value:
Listing 12-27

1 {{ form.task.vars.full_name }}

Twig Template Function Reference
If you're using Twig, a full reference of the form rendering functions is available in the reference manual.
Read this to know everything about the helpers available and the options that can be used with each.

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 160

Changing the Action and Method of a Form
So far, the form_start() helper has been used to render the form's start tag and we assumed that each
form is submitted to the same URL in a POST request. Sometimes you want to change these parameters.
You can do so in a few different ways. If you build your form in the controller, you can use setAction()
and setMethod():
Listing 12-28

1 $form = $this->createFormBuilder($task)
2
->setAction($this->generateUrl('target_route'))
3
->setMethod('GET')
4
->add('task', 'text')
5
->add('dueDate', 'date')
6
->add('save', 'submit')
7
->getForm();

This example assumes that you've created a route called target_route that points to the controller
that processes the form.

In Creating Form Classes you will learn how to move the form building code into separate classes. When
using an external form class in the controller, you can pass the action and method as form options:
Listing 12-29

1 $form = $this->createForm(new TaskType(), $task, array(
2
'action' => $this->generateUrl('target_route'),
3
'method' => 'GET',
4 ));

Finally, you can override the action and method in the template by passing them to the form() or the
form_start() helper:
Listing 12-30

1 {# src/Acme/TaskBundle/Resources/views/Default/new.html.twig #}
2 {{ form(form, {'action': path('target_route'), 'method': 'GET'}) }}
3
4 {{ form_start(form, {'action': path('target_route'), 'method': 'GET'}) }}

If the form's method is not GET or POST, but PUT, PATCH or DELETE, Symfony will insert
a hidden field with the name _method that stores this method. The form will be submitted in a
normal POST request, but Symfony's router is capable of detecting the _method parameter and will
interpret it as a PUT, PATCH or DELETE request. Read the cookbook chapter "How to Use HTTP
Methods beyond GET and POST in Routes" for more information.

Creating Form Classes
As you've seen, a form can be created and used directly in a controller. However, a better practice is
to build the form in a separate, standalone PHP class, which can then be reused anywhere in your
application. Create a new class that will house the logic for building the task form:
Listing 12-31

1 // src/Acme/TaskBundle/Form/Type/TaskType.php
2 namespace Acme\TaskBundle\Form\Type;

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 161

3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilderInterface;
class TaskType extends AbstractType
{
public function buildForm(FormBuilderInterface $builder, array $options)
{
$builder
->add('task')
->add('dueDate', null, array('widget' => 'single_text'))
->add('save', 'submit');
}
public function getName()
{
return 'task';
}
}

This new class contains all the directions needed to create the task form (note that the getName() method
should return a unique identifier for this form "type"). It can be used to quickly build a form object in the
controller:
Listing 12-32

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/TaskBundle/Controller/DefaultController.php
// add this new use statement at the top of the class
use Acme\TaskBundle\Form\Type\TaskType;
public function newAction()
{
$task = ...;
$form = $this->createForm(new TaskType(), $task);

// ...
}

Placing the form logic into its own class means that the form can be easily reused elsewhere in your
project. This is the best way to create forms, but the choice is ultimately up to you.

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 162

Setting the data_class
Every form needs to know the name of the class that holds the underlying data (e.g.
Acme\TaskBundle\Entity\Task). Usually, this is just guessed based off of the object passed to the
second argument to createForm (i.e. $task). Later, when you begin embedding forms, this will no
longer be sufficient. So, while not always necessary, it's generally a good idea to explicitly specify
the data_class option by adding the following to your form type class:
Listing 12-33

1
2
3
4
5
6
7
8

use Symfony\Component\OptionsResolver\OptionsResolverInterface;
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'data_class' => 'Acme\TaskBundle\Entity\Task',
));
}

When mapping forms to objects, all fields are mapped. Any fields on the form that do not exist on
the mapped object will cause an exception to be thrown.
In cases where you need extra fields in the form (for example: a "do you agree with these terms"
checkbox) that will not be mapped to the underlying object, you need to set the mapped option to
false:
Listing 12-34

1
2
3
4
5
6
7
8
9

use Symfony\Component\Form\FormBuilderInterface;
public function buildForm(FormBuilderInterface $builder, array $options)
{
$builder
->add('task')
->add('dueDate', null, array('mapped' => false))
->add('save', 'submit');
}

Additionally, if there are any fields on the form that aren't included in the submitted data, those
fields will be explicitly set to null.
The field data can be accessed in a controller with:
Listing 12-35

1 $form->get('dueDate')->getData();

In addition, the data of an unmapped field can also be modified directly:
Listing 12-36

1 $form->get('dueDate')->setData(new \DateTime());

Defining your Forms as Services
Defining your form type as a service is a good practice and makes it really easy to use in your application.
Services and the service container will be handled later on in this book. Things will be more clear
after reading that chapter.

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 163

Listing 12-37

1 # src/Acme/TaskBundle/Resources/config/services.yml
2 services:
3
acme_demo.form.type.task:
4
class: Acme\TaskBundle\Form\Type\TaskType
5
tags:
6
- { name: form.type, alias: task }

That's it! Now you can use your form type directly in a controller:
Listing 12-38

1
2
3
4
5
6
7
8
9
10

// src/Acme/TaskBundle/Controller/DefaultController.php
// ...
public function newAction()
{
$task = ...;
$form = $this->createForm('task', $task);

// ...
}

or even use from within the form type of another form:
Listing 12-39

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/TaskBundle/Form/Type/ListType.php
// ...
class ListType extends AbstractType
{
public function buildForm(FormBuilderInterface $builder, array $options)
{
// ...
$builder->add('someTask', 'task');
}
}

Read Creating your Field Type as a Service for more information.

Forms and Doctrine
The goal of a form is to translate data from an object (e.g. Task) to an HTML form and then translate
user-submitted data back to the original object. As such, the topic of persisting the Task object to the
database is entirely unrelated to the topic of forms. But, if you've configured the Task class to be persisted
via Doctrine (i.e. you've added mapping metadata for it), then persisting it after a form submission can be
done when the form is valid:
Listing 12-40

1 if ($form->isValid()) {
2
$em = $this->getDoctrine()->getManager();
3
$em->persist($task);
4
$em->flush();
5
6
return $this->redirect($this->generateUrl('task_success'));
7 }

If, for some reason, you don't have access to your original $task object, you can fetch it from the form:

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 164

Listing 12-41

1 $task = $form->getData();

For more information, see the Doctrine ORM chapter.
The key thing to understand is that when the form is submitted, the submitted data is transferred to the
underlying object immediately. If you want to persist that data, you simply need to persist the object itself
(which already contains the submitted data).

Embedded Forms
Often, you'll want to build a form that will include fields from many different objects. For example,
a registration form may contain data belonging to a User object as well as many Address objects.
Fortunately, this is easy and natural with the Form component.

Embedding a Single Object
Suppose that each Task belongs to a simple Category object. Start, of course, by creating the Category
object:
Listing 12-42

1
2
3
4
5
6
7
8
9
10
11
12

// src/Acme/TaskBundle/Entity/Category.php
namespace Acme\TaskBundle\Entity;
use Symfony\Component\Validator\Constraints as Assert;
class Category
{
/**
* @Assert\NotBlank()
*/
public $name;
}

Next, add a new category property to the Task class:
Listing 12-43

1 // ...
2
3 class Task
4 {
5
// ...
6
7
/**
8
* @Assert\Type(type="Acme\TaskBundle\Entity\Category")
9
*/
10
protected $category;
11
12
// ...
13
14
public function getCategory()
15
{
16
return $this->category;
17
}
18
19
public function setCategory(Category $category = null)
20
{
21
$this->category = $category;

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 165

22
23 }

}

Now that your application has been updated to reflect the new requirements, create a form class so that
a Category object can be modified by the user:
Listing 12-44

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

// src/Acme/TaskBundle/Form/Type/CategoryType.php
namespace Acme\TaskBundle\Form\Type;
use Symfony\Component\Form\AbstractType;
use Symfony\Component\Form\FormBuilderInterface;
use Symfony\Component\OptionsResolver\OptionsResolverInterface;
class CategoryType extends AbstractType
{
public function buildForm(FormBuilderInterface $builder, array $options)
{
$builder->add('name');
}
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'data_class' => 'Acme\TaskBundle\Entity\Category',
));
}
public function getName()
{
return 'category';
}
}

The end goal is to allow the Category of a Task to be modified right inside the task form itself. To
accomplish this, add a category field to the TaskType object whose type is an instance of the new
CategoryType class:
Listing 12-45

1
2
3
4
5
6
7
8

use Symfony\Component\Form\FormBuilderInterface;
public function buildForm(FormBuilderInterface $builder, array $options)
{
// ...
$builder->add('category', new CategoryType());
}

The fields from CategoryType can now be rendered alongside those from the TaskType class. To activate
validation on CategoryType, add the cascade_validation option to TaskType:
Listing 12-46

1 public function setDefaultOptions(OptionsResolverInterface $resolver)
2 {
3
$resolver->setDefaults(array(
4
'data_class' => 'Acme\TaskBundle\Entity\Task',
5
'cascade_validation' => true,
6
));
7 }

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 166

Render the Category fields in the same way as the original Task fields:
Listing 12-47

1
2
3
4
5
6
7
8

{# ... #}
<h3>Category</h3>
<div class="category">
{{ form_row(form.category.name) }}
</div>

{# ... #}

When the user submits the form, the submitted data for the Category fields are used to construct an
instance of Category, which is then set on the category field of the Task instance.
The Category instance is accessible naturally via $task->getCategory() and can be persisted to the
database or used however you need.

Embedding a Collection of Forms
You can also embed a collection of forms into one form (imagine a Category form with many Product
sub-forms). This is done by using the collection field type.
For more information see the "How to Embed a Collection of Forms" cookbook entry and the collection
field type reference.

Form Theming
Every part of how a form is rendered can be customized. You're free to change how each form "row"
renders, change the markup used to render errors, or even customize how a textarea tag should be
rendered. Nothing is off-limits, and different customizations can be used in different places.
Symfony uses templates to render each and every part of a form, such as label tags, input tags, error
messages and everything else.
In Twig, each form "fragment" is represented by a Twig block. To customize any part of how a form
renders, you just need to override the appropriate block.
In PHP, each form "fragment" is rendered via an individual template file. To customize any part of how a
form renders, you just need to override the existing template by creating a new one.
To understand how this works, customize the form_row fragment and add a class attribute to the div
element that surrounds each row. To do this, create a new template file that will store the new markup:
Listing 12-48

1
2
3
4
5
6
7
8
9
10

{# src/Acme/TaskBundle/Resources/views/Form/fields.html.twig #}
{% block form_row %}
{% spaceless %}
<div class="form_row">
{{ form_label(form) }}
{{ form_errors(form) }}
{{ form_widget(form) }}
</div>
{% endspaceless %}
{% endblock form_row %}

The form_row form fragment is used when rendering most fields via the form_row function. To tell the
Form component to use your new form_row fragment defined above, add the following to the top of the
template that renders the form:
Listing 12-49

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 167

1
2
3
4
5
6

{# src/Acme/TaskBundle/Resources/views/Default/new.html.twig #}
{% form_theme form 'AcmeTaskBundle:Form:fields.html.twig' %}
{% form_theme form 'AcmeTaskBundle:Form:fields.html.twig'
'AcmeTaskBundle:Form:fields2.html.twig' %}

<!-- ... render the form -->

The form_theme tag (in Twig) "imports" the fragments defined in the given template and uses them when
rendering the form. In other words, when the form_row function is called later in this template, it will
use the form_row block from your custom theme (instead of the default form_row block that ships with
Symfony).
Your custom theme does not have to override all the blocks. When rendering a block which is not
overridden in your custom theme, the theming engine will fall back to the global theme (defined at the
bundle level).
If several custom themes are provided they will be searched in the listed order before falling back to the
global theme.
To customize any portion of a form, you just need to override the appropriate fragment. Knowing exactly
which block or file to override is the subject of the next section.
Listing 12-50

1 {# src/Acme/TaskBundle/Resources/views/Default/new.html.twig #}
2
3 {% form_theme form with 'AcmeTaskBundle:Form:fields.html.twig' %}
4
5 {% form_theme form with ['AcmeTaskBundle:Form:fields.html.twig',
'AcmeTaskBundle:Form:fields2.html.twig'] %}

For a more extensive discussion, see How to Customize Form Rendering.

Form Fragment Naming
In Symfony, every part of a form that is rendered - HTML form elements, errors, labels, etc. - is defined
in a base theme, which is a collection of blocks in Twig and a collection of template files in PHP.
In Twig, every block needed is defined in a single template file (form_div_layout.html.twig10) that lives
inside the Twig Bridge11. Inside this file, you can see every block needed to render a form and every default
field type.
In PHP, the fragments are individual template files. By default they are located in the Resources/views/
Form directory of the framework bundle (view on GitHub12).
Each fragment name follows the same basic pattern and is broken up into two pieces, separated by a
single underscore character (_). A few examples are:
• form_row - used by form_row to render most fields;
• textarea_widget - used by form_widget to render a textarea field type;
• form_errors - used by form_errors to render errors for a field;
Each fragment follows the same basic pattern: type_part. The type portion corresponds to the field type
being rendered (e.g. textarea, checkbox, date, etc) whereas the part portion corresponds to what is
being rendered (e.g. label, widget, errors, etc). By default, there are 4 possible parts of a form that can
be rendered:
10. https://github.com/symfony/symfony/blob/2.3/src/Symfony/Bridge/Twig/Resources/views/Form/form_div_layout.html.twig
11. https://github.com/symfony/symfony/tree/2.3/src/Symfony/Bridge/Twig
12. https://github.com/symfony/symfony/tree/2.3/src/Symfony/Bundle/FrameworkBundle/Resources/views/Form

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 168

label

(e.g. form_label)

renders the field's label

widget

(e.g. form_widget)

renders the field's HTML representation

errors

(e.g. form_errors)

renders the field's errors

row

(e.g. form_row)

renders the field's entire row (label, widget & errors)

There are actually 2 other parts - rows and rest - but you should rarely if ever need to worry about
overriding them.

By knowing the field type (e.g. textarea) and which part you want to customize (e.g. widget), you can
construct the fragment name that needs to be overridden (e.g. textarea_widget).

Template Fragment Inheritance
In some cases, the fragment you want to customize will appear to be missing. For example, there is no
textarea_errors fragment in the default themes provided with Symfony. So how are the errors for a
textarea field rendered?
The answer is: via the form_errors fragment. When Symfony renders the errors for a textarea type, it
looks first for a textarea_errors fragment before falling back to the form_errors fragment. Each field
type has a parent type (the parent type of textarea is text, its parent is form), and Symfony uses the
fragment for the parent type if the base fragment doesn't exist.
So, to override the errors for only textarea fields, copy the form_errors fragment, rename it to
textarea_errors and customize it. To override the default error rendering for all fields, copy and
customize the form_errors fragment directly.
The "parent" type of each field type is available in the form type reference for each field type.

Global Form Theming
In the above example, you used the form_theme helper (in Twig) to "import" the custom form fragments
into just that form. You can also tell Symfony to import form customizations across your entire project.

Twig
To automatically include the customized blocks from the fields.html.twig template created earlier in
all templates, modify your application configuration file:
Listing 12-51

1 # app/config/config.yml
2 twig:
3
form:
4
resources:
5
- 'AcmeTaskBundle:Form:fields.html.twig'
6
# ...

Any blocks inside the fields.html.twig template are now used globally to define form output.

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 169

Customizing Form Output all in a Single File with Twig
In Twig, you can also customize a form block right inside the template where that customization
is needed:
Listing 12-52

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

{% extends '::base.html.twig' %}

{# import "_self" as the form theme #}
{% form_theme form _self %}
{# make the form fragment customization #}
{% block form_row %}
{# custom field row output #}
{% endblock form_row %}
{% block content %}
{# ... #}
{{ form_row(form.task) }}
{% endblock %}

The {% form_theme form _self %} tag allows form blocks to be customized directly inside
the template that will use those customizations. Use this method to quickly make form output
customizations that will only ever be needed in a single template.
This {% form_theme form _self %} functionality will only work if your template extends
another. If your template does not, you must point form_theme to a separate template.

PHP
To automatically include the customized templates from the Acme/TaskBundle/Resources/views/Form
directory created earlier in all templates, modify your application configuration file:
Listing 12-53

1 # app/config/config.yml
2 framework:
3
templating:
4
form:
5
resources:
6
- 'AcmeTaskBundle:Form'
7 # ...

Any fragments inside the Acme/TaskBundle/Resources/views/Form directory are now used globally to
define form output.

CSRF Protection
CSRF - or Cross-site request forgery13 - is a method by which a malicious user attempts to make your
legitimate users unknowingly submit data that they don't intend to submit. Fortunately, CSRF attacks
can be prevented by using a CSRF token inside your forms.

13. http://en.wikipedia.org/wiki/Cross-site_request_forgery

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 170

The good news is that, by default, Symfony embeds and validates CSRF tokens automatically for you.
This means that you can take advantage of the CSRF protection without doing anything. In fact, every
form in this chapter has taken advantage of the CSRF protection!
CSRF protection works by adding a hidden field to your form - called _token by default - that contains a
value that only you and your user knows. This ensures that the user - not some other entity - is submitting
the given data. Symfony automatically validates the presence and accuracy of this token.
The _token field is a hidden field and will be automatically rendered if you include the form_end()
function in your template, which ensures that all un-rendered fields are output.
The CSRF token can be customized on a form-by-form basis. For example:
Listing 12-54

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

use Symfony\Component\OptionsResolver\OptionsResolverInterface;
class TaskType extends AbstractType
{
// ...
public function setDefaultOptions(OptionsResolverInterface $resolver)
{
$resolver->setDefaults(array(
'data_class'
=> 'Acme\TaskBundle\Entity\Task',
'csrf_protection' => true,
'csrf_field_name' => '_token',
// a unique key to help generate the secret token
'intention'
=> 'task_item',
));
}

// ...
}

To disable CSRF protection, set the csrf_protection option to false. Customizations can also be made
globally in your project. For more information, see the form configuration reference section.
The intention option is optional but greatly enhances the security of the generated token by
making it different for each form.

Using a Form without a Class
In most cases, a form is tied to an object, and the fields of the form get and store their data on the
properties of that object. This is exactly what you've seen so far in this chapter with the Task class.
But sometimes, you may just want to use a form without a class, and get back an array of the submitted
data. This is actually really easy:
Listing 12-55

1
2
3
4
5
6
7
8
9

// make sure you've imported the Request namespace above the class
use Symfony\Component\HttpFoundation\Request;
// ...
public function contactAction(Request $request)
{
$defaultData = array('message' => 'Type your message here');
$form = $this->createFormBuilder($defaultData)
->add('name', 'text')

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 171

10
11
12
13
14
15
16
17
18
19
20
21
22
23 }

->add('email', 'email')
->add('message', 'textarea')
->add('send', 'submit')
->getForm();
$form->handleRequest($request);
if ($form->isValid()) {
// data is an array with "name", "email", and "message" keys
$data = $form->getData();
}

// ... render the form

By default, a form actually assumes that you want to work with arrays of data, instead of an object. There
are exactly two ways that you can change this behavior and tie the form to an object instead:
1. Pass an object when creating the form (as the first argument to createFormBuilder or the
second argument to createForm);
2. Declare the data_class option on your form.
If you don't do either of these, then the form will return the data as an array. In this example, since
$defaultData is not an object (and no data_class option is set), $form->getData() ultimately returns
an array.
You can also access POST values (in this case "name") directly through the request object, like so:
Listing 12-56

1 $this->get('request')->request->get('name');

Be advised, however, that in most cases using the getData() method is a better choice, since it
returns the data (usually an object) after it's been transformed by the form framework.

Adding Validation
The only missing piece is validation. Usually, when you call $form->isValid(), the object is validated
by reading the constraints that you applied to that class. If your form is mapped to an object (i.e. you're
using the data_class option or passing an object to your form), this is almost always the approach you
want to use. See Validation for more details.
But if the form is not mapped to an object and you instead want to retrieve a simple array of your
submitted data, how can you add constraints to the data of your form?
The answer is to setup the constraints yourself, and attach them to the individual fields. The overall
approach is covered a bit more in the validation chapter, but here's a short example:
New in version 2.1: The constraints option, which accepts a single constraint or an array of
constraints (before 2.1, the option was called validation_constraint, and only accepted a single
constraint) was introduced in Symfony 2.1.

Listing 12-57

1 use Symfony\Component\Validator\Constraints\Length;
2 use Symfony\Component\Validator\Constraints\NotBlank;
3
4 $builder

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 172

5
6
7
8
9
10
11
12
13
14 ;

->add('firstName', 'text', array(
'constraints' => new Length(array('min' => 3)),
))
->add('lastName', 'text', array(
'constraints' => array(
new NotBlank(),
new Length(array('min' => 3)),
),
))

If you are using validation groups, you need to either reference the Default group when creating
the form, or set the correct group on the constraint you are adding.

Listing 12-58

1 new NotBlank(array('groups' => array('create', 'update'))

Final Thoughts
You now know all of the building blocks necessary to build complex and functional forms for your
application. When building forms, keep in mind that the first goal of a form is to translate data from an
object (Task) to an HTML form so that the user can modify that data. The second goal of a form is to
take the data submitted by the user and to re-apply it to the object.
There's still much more to learn about the powerful world of forms, such as how to handle file uploads
with Doctrine or how to create a form where a dynamic number of sub-forms can be added (e.g. a todo
list where you can keep adding more fields via JavaScript before submitting). See the cookbook for these
topics. Also, be sure to lean on the field type reference documentation, which includes examples of how to
use each field type and its options.

Learn more from the Cookbook







How to Handle File Uploads with Doctrine
File Field Reference
Creating Custom Field Types
How to Customize Form Rendering
How to Dynamically Modify Forms Using Form Events
How to Use Data Transformers

PDF brought to you by
generated on October 9, 2014

Chapter 12: Forms | 173

Chapter 13

Security
Security is a two-step process whose goal is to prevent a user from accessing a resource that they should
not have access to.
In the first step of the process, the security system identifies who the user is by requiring the user to
submit some sort of identification. This is called authentication, and it means that the system is trying
to find out who you are.
Once the system knows who you are, the next step is to determine if you should have access to a given
resource. This part of the process is called authorization, and it means that the system is checking to see
if you have privileges to perform a certain action.

Since the best way to learn is to see an example, just imagine that you want to secure your application
with HTTP Basic authentication.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 174

Symfony's security component is available as a standalone PHP library for use inside any PHP
project.

Basic Example: HTTP Authentication
The Security component can be configured via your application configuration. In fact, most standard
security setups are just a matter of using the right configuration. The following configuration tells
Symfony to secure any URL matching /admin/* and to ask the user for credentials using basic HTTP
authentication (i.e. the old-school username/password box):
Listing 13-1

1 # app/config/security.yml
2 security:
3
firewalls:
4
secured_area:
5
pattern:
^/
6
anonymous: ~
7
http_basic:
8
realm: "Secured Demo Area"
9
10
access_control:
11
- { path: ^/admin/, roles: ROLE_ADMIN }
12
# Include the following line to also secure the /admin path itself
13
# - { path: ^/admin$, roles: ROLE_ADMIN }
14
15
providers:
16
in_memory:
17
memory:
18
users:
19
ryan: { password: ryanpass, roles: 'ROLE_USER' }
20
admin: { password: kitten, roles: 'ROLE_ADMIN' }
21
22
encoders:
23
Symfony\Component\Security\Core\User\User: plaintext

A standard Symfony distribution separates the security configuration into a separate file (e.g. app/
config/security.yml). If you don't have a separate security file, you can put the configuration
directly into your main config file (e.g. app/config/config.yml).

The end result of this configuration is a fully-functional security system that looks like the following:





There are two users in the system (ryan and admin);
Users authenticate themselves via the basic HTTP authentication prompt;
Any URL matching /admin/* is secured, and only the admin user can access it;
All URLs not matching /admin/* are accessible by all users (and the user is never prompted to
log in).

Read this short summary about how security works and how each part of the configuration comes into
play.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 175

How Security Works: Authentication and Authorization
Symfony's security system works by determining who a user is (i.e. authentication) and then checking to
see if that user should have access to a specific resource or URL.

Firewalls (Authentication)
When a user makes a request to a URL that's protected by a firewall, the security system is activated. The
job of the firewall is to determine whether or not the user needs to be authenticated, and if they do, to
send a response back to the user initiating the authentication process.
A firewall is activated when the URL of an incoming request matches the configured firewall's regular
expression pattern config value. In this example, the pattern (^/) will match every incoming request.
The fact that the firewall is activated does not mean, however, that the HTTP authentication username
and password box is displayed for every URL. For example, any user can access /foo without being
prompted to authenticate.

This works first because the firewall allows anonymous users via the anonymous configuration parameter.
In other words, the firewall doesn't require the user to fully authenticate immediately. And because no
special role is needed to access /foo (under the access_control section), the request can be fulfilled
without ever asking the user to authenticate.
If you remove the anonymous key, the firewall will always make a user fully authenticate immediately.

Access Controls (Authorization)
If a user requests /admin/foo, however, the process behaves differently. This is because of the
access_control configuration section that says that any URL matching the regular expression pattern
^/admin (i.e. /admin or anything matching /admin/*) requires the ROLE_ADMIN role. Roles are the basis
for most authorization: a user can access /admin/foo only if it has the ROLE_ADMIN role.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 176

Like before, when the user originally makes the request, the firewall doesn't ask for any identification.
However, as soon as the access control layer denies the user access (because the anonymous user doesn't
have the ROLE_ADMIN role), the firewall jumps into action and initiates the authentication process. The
authentication process depends on the authentication mechanism you're using. For example, if you're
using the form login authentication method, the user will be redirected to the login page. If you're using
HTTP authentication, the user will be sent an HTTP 401 response so that the user sees the username and
password box.
The user now has the opportunity to submit its credentials back to the application. If the credentials are
valid, the original request can be re-tried.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 177

In this example, the user ryan successfully authenticates with the firewall. But since ryan doesn't have
the ROLE_ADMIN role, they're still denied access to /admin/foo. Ultimately, this means that the user will
see some sort of message indicating that access has been denied.
When Symfony denies the user access, the user sees an error screen and receives a 403 HTTP status
code (Forbidden). You can customize the access denied error screen by following the directions in
the Error Pages cookbook entry to customize the 403 error page.

Finally, if the admin user requests /admin/foo, a similar process takes place, except now, after being
authenticated, the access control layer will let the request pass through:

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 178

The request flow when a user requests a protected resource is straightforward, but incredibly flexible. As
you'll see later, authentication can be handled in any number of ways, including via a form login, X.509
certificate, or by authenticating the user via Twitter. Regardless of the authentication method, the request
flow is always the same:
1. A user accesses a protected resource;
2. The application redirects the user to the login form;
3. The user submits its credentials (e.g. username/password);
4. The firewall authenticates the user;
5. The authenticated user re-tries the original request.
The exact process actually depends a little bit on which authentication mechanism you're using.
For example, when using form login, the user submits its credentials to one URL that processes the
form (e.g. /login_check) and then is redirected back to the originally requested URL (e.g. /admin/
foo). But with HTTP authentication, the user submits its credentials directly to the original URL
(e.g. /admin/foo) and then the page is returned to the user in that same request (i.e. no redirect).
These types of idiosyncrasies shouldn't cause you any problems, but they're good to keep in mind.

You'll also learn later how anything can be secured in Symfony, including specific controllers,
objects, or even PHP methods.

Using a Traditional Login Form

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 179

In this section, you'll learn how to create a basic login form that continues to use the hard-coded
users that are defined in the security.yml file.
To load users from the database, please read How to Load Security Users from the Database (the
Entity Provider). By reading that article and this section, you can create a full login form system
that loads users from the database.

So far, you've seen how to blanket your application beneath a firewall and then protect access to certain
areas with roles. By using HTTP Authentication, you can effortlessly tap into the native username/
password box offered by all browsers. However, Symfony supports many authentication mechanisms out
of the box. For details on all of them, see the Security Configuration Reference.
In this section, you'll enhance this process by allowing the user to authenticate via a traditional HTML
login form.
First, enable form login under your firewall:
Listing 13-2

1 # app/config/security.yml
2 security:
3
firewalls:
4
secured_area:
5
pattern:
^/
6
anonymous: ~
7
form_login:
8
login_path: login
9
check_path: login_check

If you don't need to customize your login_path or check_path values (the values used here are
the default values), you can shorten your configuration:
Listing 13-3

1 form_login: ~

Now, when the security system initiates the authentication process, it will redirect the user to the login
form (/login by default). Implementing this login form visually is your job. First, create the two routes
you used in the security configuration: the login route will display the login form (i.e. /login) and the
login_check route will handle the login form submission (i.e. /login_check):
Listing 13-4

1 # app/config/routing.yml
2 login:
3
path:
/login
4
defaults: { _controller: AcmeSecurityBundle:Security:login }
5 login_check:
6
path: /login_check

You will not need to implement a controller for the /login_check URL as the firewall will
automatically catch and process any form submitted to this URL.

New in version 2.1: As of Symfony 2.1, you must have routes configured for your login_path and
check_path. These keys can be route names (as shown in this example) or URLs that have routes
configured for them.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 180

Notice that the name of the login route matches the login_path config value, as that's where the
security system will redirect users that need to login.
Next, create the controller that will display the login form:
Listing 13-5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

// src/Acme/SecurityBundle/Controller/SecurityController.php;
namespace Acme\SecurityBundle\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\SecurityContextInterface;
class SecurityController extends Controller
{
public function loginAction(Request $request)
{
$session = $request->getSession();

// get the login error if there is one
if ($request->attributes->has(SecurityContextInterface::AUTHENTICATION_ERROR)) {
$error = $request->attributes->get(
SecurityContextInterface::AUTHENTICATION_ERROR
);
} elseif (null !== $session &&
$session->has(SecurityContextInterface::AUTHENTICATION_ERROR)) {
$error = $session->get(SecurityContextInterface::AUTHENTICATION_ERROR);
$session->remove(SecurityContextInterface::AUTHENTICATION_ERROR);
} else {
$error = '';
}
// last username entered by the user
$lastUsername = (null === $session) ? '' :
$session->get(SecurityContextInterface::LAST_USERNAME);
return $this->render(
'AcmeSecurityBundle:Security:login.html.twig',
array(
// last username entered by the user
'last_username' => $lastUsername,
'error'
=> $error,
)
);
}
}

Don't let this controller confuse you. As you'll see in a moment, when the user submits the form, the
security system automatically handles the form submission for you. If the user had submitted an invalid
username or password, this controller reads the form submission error from the security system so that it
can be displayed back to the user.
In other words, your job is to display the login form and any login errors that may have occurred, but the
security system itself takes care of checking the submitted username and password and authenticating
the user.
Finally, create the corresponding template:
Listing 13-6

1 {# src/Acme/SecurityBundle/Resources/views/Security/login.html.twig #}
2 {% if error %}
3
<div>{{ error.message }}</div>

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 181

4 {% endif %}
5
6 <form action="{{ path('login_check') }}" method="post">
7
<label for="username">Username:</label>
8
<input type="text" id="username" name="_username" value="{{ last_username }}" />
9
10
<label for="password">Password:</label>
11
<input type="password" id="password" name="_password" />
12
13
{#
14
If you want to control the URL the user
15
is redirected to on success (more details below)
16
<input type="hidden" name="_target_path" value="/account" />
17
#}
18
19
<button type="submit">login</button>
20 </form>

This login form is currently not protected against CSRF attacks. Read Using CSRF Protection in the
Login Form on how to protect your login form.

The error variable passed into the template is an instance of AuthenticationException1. It may
contain more information - or even sensitive information - about the authentication failure, so use
it wisely!

The form has very few requirements. First, by submitting the form to /login_check (via the
login_check route), the security system will intercept the form submission and process the form for
you automatically. Second, the security system expects the submitted fields to be called _username and
_password (these field names can be configured).
And that's it! When you submit the form, the security system will automatically check the user's
credentials and either authenticate the user or send the user back to the login form where the error can
be displayed.
To review the whole process:
1. The user tries to access a resource that is protected;
2. The firewall initiates the authentication process by redirecting the user to the login form
(/login);
3. The /login page renders login form via the route and controller created in this example;
4. The user submits the login form to /login_check;
5. The security system intercepts the request, checks the user's submitted credentials,
authenticates the user if they are correct, and sends the user back to the login form if they are
not.
By default, if the submitted credentials are correct, the user will be redirected to the original page that
was requested (e.g. /admin/foo). If the user originally went straight to the login page, he'll be redirected
to the homepage. This can be highly customized, allowing you to, for example, redirect the user to a
specific URL.
For more details on this and how to customize the form login process in general, see How to Customize
your Form Login.

1. http://api.symfony.com/2.3/Symfony/Component/Security/Core/Exception/AuthenticationException.html

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 182

Avoid common Pitfalls
When setting up your login form, watch out for a few common pitfalls.
1. Create the correct routes
First, be sure that you've defined the login and login_check routes correctly and that they
correspond to the login_path and check_path config values. A misconfiguration here can mean
that you're redirected to a 404 page instead of the login page, or that submitting the login form
does nothing (you just see the login form over and over again).
2. Be sure the login page isn't secure
Also, be sure that the login page does not require any roles to be viewed. For example, the following
configuration - which requires the ROLE_ADMIN role for all URLs (including the /login URL), will
cause a redirect loop:
Listing 13-7

1 # app/config/security.yml
2
3 # ...
4 access_control:
5
- { path: ^/, roles: ROLE_ADMIN }

Removing the access control on the /login URL fixes the problem:
Listing 13-8

1 # app/config/security.yml
2
3 # ...
4 access_control:
5
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
6
- { path: ^/, roles: ROLE_ADMIN }

Also, if your firewall does not allow for anonymous users, you'll need to create a special firewall
that allows anonymous users for the login page:
Listing 13-9

1 # app/config/security.yml
2
3 # ...
4 firewalls:
5
login_firewall:
6
pattern:
^/login$
7
anonymous: ~
8
secured_area:
9
pattern:
^/
10
form_login: ~

3. Be sure /login_check is behind a firewall
Next, make sure that your check_path URL (e.g. /login_check) is behind the firewall you're
using for your form login (in this example, the single firewall matches all URLs, including
/login_check). If /login_check doesn't match any firewall, you'll receive a Unable to find the
controller for path "/login_check" exception.
4. Multiple firewalls don't share security context
If you're using multiple firewalls and you authenticate against one firewall, you will not be
authenticated against any other firewalls automatically. Different firewalls are like different
security systems. To do this you have to explicitly specify the same Firewall Context for different
firewalls. But usually for most applications, having one main firewall is enough.
5. Routing error pages are not covered by firewalls

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 183

As Routing is done before security, Routing error pages are not covered by any firewall. This means
you can't check for security or even access the user object on these pages. See How to Customize
Error Pages for more details.

Authorization
The first step in security is always authentication. Once the user has been authenticated, authorization
begins. Authorization provides a standard and powerful way to decide if a user can access any resource
(a URL, a model object, a method call, ...). This works by assigning specific roles to each user, and then
requiring different roles for different resources.
The process of authorization has two different sides:
1. The user has a specific set of roles;
2. A resource requires a specific role in order to be accessed.
In this section, you'll focus on how to secure different resources (e.g. URLs, method calls, etc) with
different roles. Later, you'll learn more about how roles are created and assigned to users.

Securing specific URL Patterns
The most basic way to secure part of your application is to secure an entire URL pattern. You've seen
this already in the first example of this chapter, where anything matching the regular expression pattern
^/admin requires the ROLE_ADMIN role.
You can define as many URL patterns as you need - each is a regular expression.
Listing 13-10

1 # app/config/security.yml
2 security:
3
# ...
4
access_control:
5
- { path: ^/admin/users, roles: ROLE_SUPER_ADMIN }
6
- { path: ^/admin, roles: ROLE_ADMIN }

Prepending the path with ^ ensures that only URLs beginning with the pattern are matched. For
example, a path of simply /admin (without the ^) would correctly match /admin/foo but would
also match URLs like /foo/admin.

Understanding how access_control Works
For each incoming request, Symfony checks each access_control entry to find one that matches the
current request. As soon as it finds a matching access_control entry, it stops - only the first matching
access_control is used to enforce access.
Each access_control has several options that configure two different things:
1. should the incoming request match this access control entry
2. once it matches, should some sort of access restriction be enforced:

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 184

1. Matching Options
Symfony creates an instance of RequestMatcher2 for each access_control entry, which determines
whether or not a given access control should be used on this request. The following access_control
options are used for matching:





path
ip or ips
host
methods

Take the following access_control entries as an example:
Listing 13-11

1 # app/config/security.yml
2 security:
3
# ...
4
access_control:
5
- { path: ^/admin,
6
- { path: ^/admin,
7
- { path: ^/admin,
8
- { path: ^/admin,

roles:
roles:
roles:
roles:

ROLE_USER_IP, ip: 127.0.0.1 }
ROLE_USER_HOST, host: symfony\.com$ }
ROLE_USER_METHOD, methods: [POST, PUT] }
ROLE_USER }

For each incoming request, Symfony will decide which access_control to use based on the URI, the
client's IP address, the incoming host name, and the request method. Remember, the first rule that
matches is used, and if ip, host or method are not specified for an entry, that access_control will match
any ip, host or method:
URI

IP

HOST

METHOD access_control

Why?

/admin/ 127.0.0.1 example.com GET
user

rule #1
(ROLE_USER_IP)

The URI matches path
and the IP matches ip.

/admin/ 127.0.0.1 symfony.com GET
user

rule #1
(ROLE_USER_IP)

The path and ip still
match. This would also
match the
ROLE_USER_HOST entry,
but only the first
access_control match is
used.

/admin/ 168.0.0.1 symfony.com GET
user

rule #2
(ROLE_USER_HOST)

The ip doesn't match the
first rule, so the second
rule (which matches) is
used.

/admin/ 168.0.0.1 symfony.com POST
user

rule #2
(ROLE_USER_HOST)

The second rule still
matches. This would also
match the third rule
(ROLE_USER_METHOD), but
only the first matched
access_control is used.

/admin/ 168.0.0.1 example.com POST
user

rule #3
The ip and host don't
(ROLE_USER_METHOD) match the first two entries,
but the third -

2. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/RequestMatcher.html

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 185

URI

IP

HOST

METHOD access_control

Why?
ROLE_USER_METHOD matches and is used.

/admin/ 168.0.0.1 example.com GET
user

/foo

127.0.0.1 symfony.com POST

rule #4 (ROLE_USER)

The ip, host and method
prevent the first three
entries from matching. But
since the URI matches the
path pattern of the
ROLE_USER entry, it is
used.

matches no entries

This doesn't match any
access_control rules,
since its URI doesn't
match any of the path
values.

2. Access Enforcement
Once Symfony has decided which access_control entry matches (if any), it then enforces access
restrictions based on the roles and requires_channel options:
• role If the user does not have the given role(s), then access is denied (internally, an
AccessDeniedException3 is thrown);
• requires_channel If the incoming request's channel (e.g. http) does not match this value
(e.g. https), the user will be redirected (e.g. redirected from http to https, or vice versa).
If access is denied, the system will try to authenticate the user if not already (e.g. redirect the user
to the login page). If the user is already logged in, the 403 "access denied" error page will be shown.
See How to Customize Error Pages for more information.

Securing by IP
Certain situations may arise when you may need to restrict access to a given path based on IP. This
is particularly relevant in the case of Edge Side Includes (ESI), for example. When ESI is enabled, it's
recommended to secure access to ESI URLs. Indeed, some ESI may contain some private content like the
current logged in user's information. To prevent any direct access to these resources from a web browser
(by guessing the ESI URL pattern), the ESI route must be secured to be only visible from the trusted
reverse proxy cache.
New in version 2.3: Version 2.3 allows multiple IP addresses in a single rule with the ips: [a, b]
construct. Prior to 2.3, users should create one rule per IP address to match and use the ip key
instead of ips.

As you'll read in the explanation below the example, the ip option does not restrict to a specific
IP address. Instead, using the ip key means that the access_control entry will only match this IP
address, and users accessing it from a different IP address will continue down the access_control
list.

3. http://api.symfony.com/2.3/Symfony/Component/Security/Core/Exception/AccessDeniedException.html

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 186

Here is an example of how you might secure all ESI routes that start with a given prefix, /esi, from
outside access:
Listing 13-12

1 # app/config/security.yml
2 security:
3
# ...
4
access_control:
5
- { path: ^/esi, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1] }
6
- { path: ^/esi, roles: ROLE_NO_ACCESS }

Here is how it works when the path is /esi/something coming from the 10.0.0.1 IP:
• The first access control rule is ignored as the path matches but the ip does not match either of
the IPs listed;
• The second access control rule is enabled (the only restriction being the path and it matches):
as the user cannot have the ROLE_NO_ACCESS role as it's not defined, access is denied (the
ROLE_NO_ACCESS role can be anything that does not match an existing role, it just serves as a
trick to always deny access).
Now, if the same request comes from 127.0.0.1 or ::1 (the IPv6 loopback address):
• Now, the first access control rule is enabled as both the path and the ip match: access is
allowed as the user always has the IS_AUTHENTICATED_ANONYMOUSLY role.
• The second access rule is not examined as the first rule matched.

Forcing a Channel (http, https)
You can also require a user to access a URL via SSL; just use the requires_channel argument in any
access_control entries. If this access_control is matched and the request is using the http channel,
the user will be redirected to https:
Listing 13-13

1 # app/config/security.yml
2 security:
3
# ...
4
access_control:
5
- { path: ^/cart/checkout, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel:
https }

Users
In the previous sections, you learned how you can protect different resources by requiring a set of roles
for a resource. This section explores the other side of authorization: users.

Where do Users Come from? (User Providers)
During authentication, the user submits a set of credentials (usually a username and password). The job
of the authentication system is to match those credentials against some pool of users. So where does this
list of users come from?
In Symfony, users can come from anywhere - a configuration file, a database table, a web service, or
anything else you can dream up. Anything that provides one or more users to the authentication system
is known as a "user provider". Symfony comes standard with the two most common user providers: one
that loads users from a configuration file and one that loads users from a database table.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 187

Specifying Users in a Configuration File
The easiest way to specify your users is directly in a configuration file. In fact, you've seen this already in
the example in this chapter.
Listing 13-14

1 # app/config/security.yml
2 security:
3
# ...
4
providers:
5
default_provider:
6
memory:
7
users:
8
ryan: { password: ryanpass, roles: 'ROLE_USER' }
9
admin: { password: kitten, roles: 'ROLE_ADMIN' }

This user provider is called the "in-memory" user provider, since the users aren't stored anywhere in a
database. The actual user object is provided by Symfony (User4).
Any user provider can load users directly from configuration by specifying the users configuration
parameter and listing the users beneath it.

If your username is completely numeric (e.g. 77) or contains a dash (e.g. user-name), you should
use an alternative syntax when specifying users in YAML:
Listing 13-15

1 users:
2
- { name: 77, password: pass, roles: 'ROLE_USER' }
3
- { name: user-name, password: pass, roles: 'ROLE_USER' }

For smaller sites, this method is quick and easy to setup. For more complex systems, you'll want to load
your users from the database.

Loading Users from the Database
If you'd like to load your users via the Doctrine ORM, you can easily do this by creating a User class and
configuring the entity provider.
A high-quality open source bundle is available that allows your users to be stored in a database.
Read more about the FOSUserBundle5 on GitHub.

With this approach, you'll first create your own User class, which will be stored in the database.
Listing 13-16

1
2
3
4
5
6
7

// src/Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;
use Symfony\Component\Security\Core\User\UserInterface;
use Doctrine\ORM\Mapping as ORM;

/**

4. http://api.symfony.com/2.3/Symfony/Component/Security/Core/User/User.html
5. https://github.com/FriendsOfSymfony/FOSUserBundle

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 188

8 * @ORM\Entity
9 */
10 class User implements UserInterface
11 {
12
/**
13
* @ORM\Column(type="string", length=255)
14
*/
15
protected $username;
16
17
// ...
18 }

As far as the security system is concerned, the only requirement for your custom user class is that it
implements the UserInterface6 interface. This means that your concept of a "user" can be anything, as
long as it implements this interface.
The user object will be serialized and saved in the session during requests, therefore it is
recommended that you implement the Serializable interface7 in your user object. This is especially
important if your User class has a parent class with private properties.

Next, configure an entity user provider, and point it to your User class:
Listing 13-17

1 # app/config/security.yml
2 security:
3
providers:
4
main:
5
entity:
6
class: Acme\UserBundle\Entity\User
7
property: username

With the introduction of this new provider, the authentication system will attempt to load a User object
from the database by using the username field of that class.
This example is just meant to show you the basic idea behind the entity provider. For a full
working example, see How to Load Security Users from the Database (the Entity Provider).

For more information on creating your own custom provider (e.g. if you needed to load users via a web
service), see How to Create a custom User Provider.

Encoding the User's Password
So far, for simplicity, all the examples have stored the users' passwords in plain text (whether those users
are stored in a configuration file or in a database somewhere). Of course, in a real application, you'll want
to encode your users' passwords for security reasons. This is easily accomplished by mapping your User
class to one of several built-in "encoders". For example, to store your users in memory, but obscure their
passwords via bcrypt, do the following:
Listing 13-18

1 # app/config/security.yml
2 security:

6. http://api.symfony.com/2.3/Symfony/Component/Security/Core/User/UserInterface.html
7. http://php.net/manual/en/class.serializable.php

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 189

3
# ...
4
providers:
5
in_memory:
6
memory:
7
users:
8
ryan:
9
password: $2a$12$w/aHvnC/
10 XNeDVrrl65b3dept8QcKqpADxUlbraVXXsC03Jam5hvoO
11
roles: 'ROLE_USER'
12
admin:
13
password:
14 $2a$12$HmOsqRDJK0HuMDQ5Fb2.AOLMQHyNHGD0seyjU3lEVusjT72QQEIpW
15
roles: 'ROLE_ADMIN'
16
17
encoders:
18
Symfony\Component\Security\Core\User\User:
algorithm: bcrypt
cost: 12

New in version 2.2: The BCrypt encoder was introduced in Symfony 2.2.

You can now calculate the hashed password either programmatically (e.g. password_hash('ryanpass',
PASSWORD_BCRYPT, array('cost' => 12));) or via some online tool.
If you're using PHP 5.4 or lower, you'll need to install the ircmaxell/password-compat library via
Composer in order to be able to use the bcrypt encoder:
Listing 13-19

{
"require": {
...
"ircmaxell/password-compat": "~1.0.3"
}
}

Supported algorithms for this method depend on your PHP version. A full list is available by calling the
PHP function hash_algos8.
New in version 2.2: As of Symfony 2.2 you can also use the PBKDF2 password encoder.

Determining the Hashed Password
If you're storing users in the database and you have some sort of registration form for users, you'll need
to be able to determine the hashed password so that you can set it on your user before inserting it. No
matter what algorithm you configure for your user object, the hashed password can always be determined
in the following way from a controller:
Listing 13-20

8. http://php.net/manual/en/function.hash-algos.php

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 190

1
2
3
4
5
6

$factory = $this->get('security.encoder_factory');
$user = new Acme\UserBundle\Entity\User();
$encoder = $factory->getEncoder($user);
$password = $encoder->encodePassword('ryanpass', $user->getSalt());
$user->setPassword($password);

In order for this to work, just make sure that you have the encoder for your user class (e.g.
Acme\UserBundle\Entity\User) configured under the encoders key in app/config/security.yml.
When you allow a user to submit a plaintext password (e.g. registration form, change password
form), you must have validation that guarantees that the password is 4096 characters or less. Read
more details in How to implement a simple Registration Form.

Retrieving the User Object
After authentication, the User object of the current user can be accessed via the security.context
service. From inside a controller, this will look like:
Listing 13-21

1 public function indexAction()
2 {
3
$user = $this->get('security.context')->getToken()->getUser();
4 }

In a controller this can be shortcut to:
Listing 13-22

1 public function indexAction()
2 {
3
$user = $this->getUser();
4 }

Anonymous users are technically authenticated, meaning that the isAuthenticated() method of
an anonymous user object will return true. To check if your user is actually authenticated, check
for the IS_AUTHENTICATED_FULLY role.

In a Twig Template this object can be accessed via the app.user key, which calls the
GlobalVariables::getUser()9 method:
Listing 13-23

1 <p>Username: {{ app.user.username }}</p>

Using multiple User Providers
Each authentication mechanism (e.g. HTTP Authentication, form login, etc) uses exactly one user
provider, and will use the first declared user provider by default. But what if you want to specify a few
users via configuration and the rest of your users in the database? This is possible by creating a new
provider that chains the two together:
Listing 13-24

9. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/Templating/GlobalVariables.html#getUser()

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 191

1 # app/config/security.yml
2 security:
3
providers:
4
chain_provider:
5
chain:
6
providers: [in_memory, user_db]
7
in_memory:
8
memory:
9
users:
10
foo: { password: test }
11
user_db:
12
entity: { class: Acme\UserBundle\Entity\User, property: username }

Now, all authentication mechanisms will use the chain_provider, since it's the first specified. The
chain_provider will, in turn, try to load the user from both the in_memory and user_db providers.
You can also configure the firewall or individual authentication mechanisms to use a specific provider.
Again, unless a provider is specified explicitly, the first provider is always used:
Listing 13-25

1 # app/config/security.yml
2 security:
3
firewalls:
4
secured_area:
5
# ...
6
pattern: ^/
7
provider: user_db
8
http_basic:
9
realm: "Secured Demo Area"
10
provider: in_memory
11
form_login: ~

In this example, if a user tries to log in via HTTP authentication, the authentication system will use the
in_memory user provider. But if the user tries to log in via the form login, the user_db provider will be
used (since it's the default for the firewall as a whole).
For more information about user provider and firewall configuration, see the SecurityBundle
Configuration ("security").

Roles
The idea of a "role" is key to the authorization process. Each user is assigned a set of roles and then
each resource requires one or more roles. If the user has any one of the required roles, access is granted.
Otherwise access is denied.
Roles are pretty simple, and are basically strings that you can invent and use as needed (though roles
are objects internally). For example, if you need to start limiting access to the blog admin section of
your website, you could protect that section using a ROLE_BLOG_ADMIN role. This role doesn't need to be
defined anywhere - you can just start using it.
All roles must begin with the ROLE_ prefix to be managed by Symfony. If you define your own roles
with a dedicated Role class (more advanced), don't use the ROLE_ prefix.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 192

Hierarchical Roles
Instead of associating many roles to users, you can define role inheritance rules by creating a role
hierarchy:
Listing 13-26

1 # app/config/security.yml
2 security:
3
role_hierarchy:
4
ROLE_ADMIN:
ROLE_USER
5
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

In the above configuration, users with ROLE_ADMIN role will also have the ROLE_USER role. The
ROLE_SUPER_ADMIN role has ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH and ROLE_USER (inherited from
ROLE_ADMIN).

Access Control
Now that you have a User and Roles, you can go further than URL-pattern based authorization.

Access Control in Controllers
Protecting your application based on URL patterns is easy, but may not be fine-grained enough in certain
cases. When necessary, you can easily force authorization from inside a controller:
Listing 13-27

1
2
3
4
5
6
7
8
9
10
11

// ...
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
public function helloAction($name)
{
if (false === $this->get('security.context')->isGranted('ROLE_ADMIN')) {
throw new AccessDeniedException();
}

// ...
}

A firewall must be active or an exception will be thrown when the isGranted() method is called.
It's almost always a good idea to have a main firewall that covers all URLs (as is shown in this
chapter).

You can also choose to install and use the optional JMSSecurityExtraBundle10, which can secure your
controller using annotations:
Listing 13-28

1
2
3
4
5
6
7
8

// ...
use JMS\SecurityExtraBundle\Annotation\Secure;
/**
* @Secure(roles="ROLE_ADMIN")
*/
public function helloAction($name)
{

10. http://jmsyst.com/bundles/JMSSecurityExtraBundle/1.2

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 193

9
10 }

// ...

Access Control in Other Services
In fact, anything in Symfony can be protected using a strategy similar to the one seen in the previous
section. For example, suppose you have a service (i.e. a PHP class) whose job is to send emails from one
user to another. You can restrict use of this class - no matter where it's being used from - to users that
have a specific role.
For more information on how you can use the Security component to secure different services and
methods in your application, see How to Secure any Service or Method in your Application.

Access Control in Templates
If you want to check if the current user has a role inside a template, use the built-in helper function:
Listing 13-29

1 {% if is_granted('ROLE_ADMIN') %}
2
<a href="...">Delete</a>
3 {% endif %}

If you use this function and are not at a URL behind a firewall active, an exception will be thrown.
Again, it's almost always a good idea to have a main firewall that covers all URLs (as has been
shown in this chapter).

Access Control Lists (ACLs): Securing individual Database Objects
Imagine you are designing a blog system where your users can comment on your posts. Now, you want
a user to be able to edit their own comments, but not those of other users. Also, as the admin user, you
yourself want to be able to edit all comments.
The Security component comes with an optional access control list (ACL) system that you can use when
you need to control access to individual instances of an object in your system. Without ACL, you can
secure your system so that only certain users can edit blog comments in general. But with ACL, you can
restrict or allow access on a comment-by-comment basis.
For more information, see the cookbook article: How to Use Access Control Lists (ACLs).

Logging Out
Usually, you'll also want your users to be able to log out. Fortunately, the firewall can handle this
automatically for you when you activate the logout config parameter:
Listing 13-30

1 # app/config/security.yml
2 security:
3
firewalls:
4
secured_area:
5
# ...
6
logout:
7
path:
/logout

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 194

8
9

target: /

# ...

Once this is configured under your firewall, sending a user to /logout (or whatever you configure the
path to be), will un-authenticate the current user. The user will then be sent to the homepage (the
value defined by the target parameter). Both the path and target config parameters default to what's
specified here. In other words, unless you need to customize them, you can omit them entirely and
shorten your configuration:
Listing 13-31

1 logout: ~

Note that you will not need to implement a controller for the /logout URL as the firewall takes care of
everything. You do, however, need to create a route so that you can use it to generate the URL:
Listing 13-32

1 # app/config/routing.yml
2 logout:
3
path: /logout

As of Symfony 2.1, you must have a route that corresponds to your logout path. Without this route,
logging out will not work.

Once the user has been logged out, they will be redirected to whatever path is defined by the target
parameter above (e.g. the homepage). For more information on configuring the logout, see the Security
Configuration Reference.

Stateless Authentication
By default, Symfony relies on a cookie (the Session) to persist the security context of the user. But if you
use certificates or HTTP authentication for instance, persistence is not needed as credentials are available
for each request. In that case, and if you don't need to store anything else between requests, you can
activate the stateless authentication (which means that no cookie will be ever created by Symfony):
Listing 13-33

1 # app/config/security.yml
2 security:
3
firewalls:
4
main:
5
http_basic: ~
6
stateless: true

If you use a form login, Symfony will create a cookie even if you set stateless to true.

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 195

Utilities
New in version 2.2: The StringUtils and SecureRandom classes were introduced in Symfony 2.2

The Symfony Security component comes with a collection of nice utilities related to security. These
utilities are used by Symfony, but you should also use them if you want to solve the problem they address.

Comparing Strings
The time it takes to compare two strings depends on their differences. This can be used by an attacker
when the two strings represent a password for instance; it is known as a Timing attack11.
Internally, when comparing two passwords, Symfony uses a constant-time algorithm; you can use the
same strategy in your own code thanks to the StringUtils12 class:
Listing 13-34

1 use Symfony\Component\Security\Core\Util\StringUtils;
2
3 // is password1 equals to password2?
4 $bool = StringUtils::equals($password1, $password2);

Generating a secure random Number
Whenever you need to generate a secure random number, you are highly encouraged to use the Symfony
SecureRandom13 class:
Listing 13-35

1 use Symfony\Component\Security\Core\Util\SecureRandom;
2
3 $generator = new SecureRandom();
4 $random = $generator->nextBytes(10);

The nextBytes()14 methods returns a random string composed of the number of characters passed as an
argument (10 in the above example).
The SecureRandom class works better when OpenSSL is installed but when it's not available, it falls back
to an internal algorithm, which needs a seed file to work correctly. Just pass a file name to enable it:
Listing 13-36

1 $generator = new SecureRandom('/some/path/to/store/the/seed.txt');
2 $random = $generator->nextBytes(10);

You can also access a secure random instance directly from the Symfony dependency injection
container; its name is security.secure_random.

11. http://en.wikipedia.org/wiki/Timing_attack
12. http://api.symfony.com/2.3/Symfony/Component/Security/Core/Util/StringUtils.html
13. http://api.symfony.com/2.3/Symfony/Component/Security/Core/Util/SecureRandom.html
14. http://api.symfony.com/2.3/Symfony/Component/Security/Core/Util/SecureRandom.html#nextBytes()

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 196

Final Words
Security can be a deep and complex issue to solve correctly in your application. Fortunately, Symfony's
Security component follows a well-proven security model based around authentication and authorization.
Authentication, which always happens first, is handled by a firewall whose job is to determine the
identity of the user through several different methods (e.g. HTTP authentication, login form, etc). In
the cookbook, you'll find examples of other methods for handling authentication, including how to
implement a "remember me" cookie functionality.
Once a user is authenticated, the authorization layer can determine whether or not the user should have
access to a specific resource. Most commonly, roles are applied to URLs, classes or methods and if the
current user doesn't have that role, access is denied. The authorization layer, however, is much deeper,
and follows a system of "voting" so that multiple parties can determine if the current user should have
access to a given resource. Find out more about this and other topics in the cookbook.

Learn more from the Cookbook






Forcing HTTP/HTTPS
Impersonating a User
Blacklist users by IP address with a custom voter
Access Control Lists (ACLs)
How to Add "Remember Me" Login Functionality

PDF brought to you by
generated on October 9, 2014

Chapter 13: Security | 197

Chapter 14

HTTP Cache
The nature of rich web applications means that they're dynamic. No matter how efficient your
application, each request will always contain more overhead than serving a static file.
And for most Web applications, that's fine. Symfony is lightning fast, and unless you're doing some
serious heavy-lifting, each request will come back quickly without putting too much stress on your server.
But as your site grows, that overhead can become a problem. The processing that's normally performed
on every request should be done only once. This is exactly what caching aims to accomplish.

Caching on the Shoulders of Giants
The most effective way to improve performance of an application is to cache the full output of a page
and then bypass the application entirely on each subsequent request. Of course, this isn't always possible
for highly dynamic websites, or is it? In this chapter, you'll see how the Symfony cache system works and
why this is the best possible approach.
The Symfony cache system is different because it relies on the simplicity and power of the HTTP cache as
defined in the HTTP specification. Instead of reinventing a caching methodology, Symfony embraces the
standard that defines basic communication on the Web. Once you understand the fundamental HTTP
validation and expiration caching models, you'll be ready to master the Symfony cache system.
For the purposes of learning how to cache with Symfony, the subject is covered in four steps:
1. A gateway cache, or reverse proxy, is an independent layer that sits in front of your application.
The reverse proxy caches responses as they're returned from your application and answers
requests with cached responses before they hit your application. Symfony provides its own
reverse proxy, but any reverse proxy can be used.
2. HTTP cache headers are used to communicate with the gateway cache and any other caches
between your application and the client. Symfony provides sensible defaults and a powerful
interface for interacting with the cache headers.
3. HTTP expiration and validation are the two models used for determining whether cached
content is fresh (can be reused from the cache) or stale (should be regenerated by the
application).
4. Edge Side Includes (ESI) allow HTTP cache to be used to cache page fragments (even nested
fragments) independently. With ESI, you can even cache an entire page for 60 minutes, but an
embedded sidebar for only 5 minutes.
PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 198

Since caching with HTTP isn't unique to Symfony, many articles already exist on the topic. If you're new
to HTTP caching, Ryan Tomayko's article Things Caches Do1 is highly recommended . Another in-depth
resource is Mark Nottingham's Cache Tutorial2.

Caching with a Gateway Cache
When caching with HTTP, the cache is separated from your application entirely and sits between your
application and the client making the request.
The job of the cache is to accept requests from the client and pass them back to your application. The
cache will also receive responses back from your application and forward them on to the client. The cache
is the "middle-man" of the request-response communication between the client and your application.
Along the way, the cache will store each response that is deemed "cacheable" (See Introduction to HTTP
Caching). If the same resource is requested again, the cache sends the cached response to the client,
ignoring your application entirely.
This type of cache is known as a HTTP gateway cache and many exist such as Varnish3, Squid in reverse
proxy mode4, and the Symfony reverse proxy.

Types of Caches
But a gateway cache isn't the only type of cache. In fact, the HTTP cache headers sent by your application
are consumed and interpreted by up to three different types of caches:
• Browser caches: Every browser comes with its own local cache that is mainly useful for when
you hit "back" or for images and other assets. The browser cache is a private cache as cached
resources aren't shared with anyone else;
• Proxy caches: A proxy is a shared cache as many people can be behind a single one. It's usually
installed by large corporations and ISPs to reduce latency and network traffic;
• Gateway caches: Like a proxy, it's also a shared cache but on the server side. Installed by
network administrators, it makes websites more scalable, reliable and performant.
Gateway caches are sometimes referred to as reverse proxy caches, surrogate caches, or even HTTP
accelerators.

The significance of private versus shared caches will become more obvious when caching responses
containing content that is specific to exactly one user (e.g. account information) is discussed.

Each response from your application will likely go through one or both of the first two cache types. These
caches are outside of your control but follow the HTTP cache directions set in the response.

Symfony Reverse Proxy
Symfony comes with a reverse proxy (also called a gateway cache) written in PHP. Enable it and
cacheable responses from your application will start to be cached right away. Installing it is just as easy.
Each new Symfony application comes with a pre-configured caching kernel (AppCache) that wraps the
default one (AppKernel). The caching Kernel is the reverse proxy.
1. http://tomayko.com/writings/things-caches-do
2. http://www.mnot.net/cache_docs/
3. https://www.varnish-cache.org/
4. http://wiki.squid-cache.org/SquidFaq/ReverseProxy

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 199

To enable caching, modify the code of a front controller to use the caching kernel:
Listing 14-1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

// web/app.php
require_once __DIR__.'/../app/bootstrap.php.cache';
require_once __DIR__.'/../app/AppKernel.php';
require_once __DIR__.'/../app/AppCache.php';
use Symfony\Component\HttpFoundation\Request;
$kernel = new AppKernel('prod', false);
$kernel->loadClassCache();
// wrap the default AppKernel with the AppCache one
$kernel = new AppCache($kernel);
$request = Request::createFromGlobals();
$response = $kernel->handle($request);
$response->send();
$kernel->terminate($request, $response);

The caching kernel will immediately act as a reverse proxy - caching responses from your application and
returning them to the client.
The cache kernel has a special getLog() method that returns a string representation of what
happened in the cache layer. In the development environment, use it to debug and validate your
cache strategy:
Listing 14-2

1 error_log($kernel->getLog());

The AppCache object has a sensible default configuration, but it can be finely tuned via a set of options
you can set by overriding the getOptions()5 method:
Listing 14-3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

// app/AppCache.php
use Symfony\Bundle\FrameworkBundle\HttpCache\HttpCache;
class AppCache extends HttpCache
{
protected function getOptions()
{
return array(
'debug'
'default_ttl'
'private_headers'
'allow_reload'
'allow_revalidate'
'stale_while_revalidate'
'stale_if_error'
);
}
}

=>
=>
=>
=>
=>
=>
=>

false,
0,
array('Authorization', 'Cookie'),
false,
false,
2,
60,

Unless overridden in getOptions(), the debug option will be set to automatically be the debug
value of the wrapped AppKernel.

5. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/HttpCache/HttpCache.html#getOptions()

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 200

Here is a list of the main options:
• default_ttl: The number of seconds that a cache entry should be considered fresh when no
explicit freshness information is provided in a response. Explicit Cache-Control or Expires
headers override this value (default: 0);
• private_headers: Set of request headers that trigger "private" Cache-Control behavior on
responses that don't explicitly state whether the response is public or private via a CacheControl directive. (default: Authorization and Cookie);
• allow_reload: Specifies whether the client can force a cache reload by including a CacheControl "no-cache" directive in the request. Set it to true for compliance with RFC 2616
(default: false);
• allow_revalidate: Specifies whether the client can force a cache revalidate by including a
Cache-Control "max-age=0" directive in the request. Set it to true for compliance with RFC
2616 (default: false);
• stale_while_revalidate: Specifies the default number of seconds (the granularity is the
second as the Response TTL precision is a second) during which the cache can immediately
return a stale response while it revalidates it in the background (default: 2); this setting
is overridden by the stale-while-revalidate HTTP Cache-Control extension (see RFC
5861);
• stale_if_error: Specifies the default number of seconds (the granularity is the second)
during which the cache can serve a stale response when an error is encountered (default: 60).
This setting is overridden by the stale-if-error HTTP Cache-Control extension (see RFC
5861).
If debug is true, Symfony automatically adds a X-Symfony-Cache header to the response containing
useful information about cache hits and misses.

Changing from one Reverse Proxy to another
The Symfony reverse proxy is a great tool to use when developing your website or when you deploy
your website to a shared host where you cannot install anything beyond PHP code. But being
written in PHP, it cannot be as fast as a proxy written in C. That's why it is highly recommended
you use Varnish or Squid on your production servers if possible. The good news is that the switch
from one proxy server to another is easy and transparent as no code modification is needed in your
application. Start easy with the Symfony reverse proxy and upgrade later to Varnish when your
traffic increases.
For more information on using Varnish with Symfony, see the How to use Varnish cookbook
chapter.

The performance of the Symfony reverse proxy is independent of the complexity of the application.
That's because the application kernel is only booted when the request needs to be forwarded to it.

Introduction to HTTP Caching
To take advantage of the available cache layers, your application must be able to communicate which
responses are cacheable and the rules that govern when/how that cache should become stale. This is done
by setting HTTP cache headers on the response.

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 201

Keep in mind that "HTTP" is nothing more than the language (a simple text language) that web
clients (e.g. browsers) and web servers use to communicate with each other. HTTP caching is the
part of that language that allows clients and servers to exchange information related to caching.

HTTP specifies four response cache headers that are looked at here:





Cache-Control
Expires
ETag
Last-Modified

The most important and versatile header is the Cache-Control header, which is actually a collection of
various cache information.
Each of the headers will be explained in full detail in the HTTP Expiration and Validation section.

The Cache-Control Header
The Cache-Control header is unique in that it contains not one, but various pieces of information about
the cacheability of a response. Each piece of information is separated by a comma:
Listing 14-4

1 Cache-Control: private, max-age=0, must-revalidate
2
3 Cache-Control: max-age=3600, must-revalidate

Symfony provides an abstraction around the Cache-Control header to make its creation more
manageable:
Listing 14-5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// ...
use Symfony\Component\HttpFoundation\Response;
$response = new Response();

// mark the response as either public or private
$response->setPublic();
$response->setPrivate();
// set the private or shared max age
$response->setMaxAge(600);
$response->setSharedMaxAge(600);
// set a custom Cache-Control directive
$response->headers->addCacheControlDirective('must-revalidate', true);

Public vs private Responses
Both gateway and proxy caches are considered "shared" caches as the cached content is shared by more
than one user. If a user-specific response were ever mistakenly stored by a shared cache, it might be
returned later to any number of different users. Imagine if your account information were cached and
then returned to every subsequent user who asked for their account page!

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 202

To handle this situation, every response may be set to be public or private:
• public: Indicates that the response may be cached by both private and shared caches;
• private: Indicates that all or part of the response message is intended for a single user and must
not be cached by a shared cache.
Symfony conservatively defaults each response to be private. To take advantage of shared caches (like the
Symfony reverse proxy), the response will need to be explicitly set as public.

Safe Methods
HTTP caching only works for "safe" HTTP methods (like GET and HEAD). Being safe means that
you never change the application's state on the server when serving the request (you can of course log
information, cache data, etc). This has two very reasonable consequences:
• You should never change the state of your application when responding to a GET or HEAD
request. Even if you don't use a gateway cache, the presence of proxy caches mean that any
GET or HEAD request may or may not actually hit your server;
• Don't expect PUT, POST or DELETE methods to cache. These methods are meant to be used
when mutating the state of your application (e.g. deleting a blog post). Caching them would
prevent certain requests from hitting and mutating your application.

Caching Rules and Defaults
HTTP 1.1 allows caching anything by default unless there is an explicit Cache-Control header. In
practice, most caches do nothing when requests have a cookie, an authorization header, use a non-safe
method (i.e. PUT, POST, DELETE), or when responses have a redirect status code.
Symfony automatically sets a sensible and conservative Cache-Control header when none is set by the
developer by following these rules:
• If no cache header is defined (Cache-Control, Expires, ETag or Last-Modified), CacheControl is set to no-cache, meaning that the response will not be cached;
• If Cache-Control is empty (but one of the other cache headers is present), its value is set to
private, must-revalidate;
• But if at least one Cache-Control directive is set, and no public or private directives have
been explicitly added, Symfony adds the private directive automatically (except when smaxage is set).

HTTP Expiration and Validation
The HTTP specification defines two caching models:
• With the expiration model6, you simply specify how long a response should be considered
"fresh" by including a Cache-Control and/or an Expires header. Caches that understand
expiration will not make the same request until the cached version reaches its expiration time
and becomes "stale";
• When pages are really dynamic (i.e. their representation changes often), the validation model7
is often necessary. With this model, the cache stores the response, but asks the server on
each request whether or not the cached response is still valid. The application uses a unique
response identifier (the Etag header) and/or a timestamp (the Last-Modified header) to check
if the page has changed since being cached.

6. http://tools.ietf.org/html/rfc2616#section-13.2
7. http://tools.ietf.org/html/rfc2616#section-13.3

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 203

The goal of both models is to never generate the same response twice by relying on a cache to store and
return "fresh" responses.

Reading the HTTP Specification
The HTTP specification defines a simple but powerful language in which clients and servers can
communicate. As a web developer, the request-response model of the specification dominates your
work. Unfortunately, the actual specification document - RFC 26168 - can be difficult to read.
There is an on-going effort (HTTP Bis9) to rewrite the RFC 2616. It does not describe a new version
of HTTP, but mostly clarifies the original HTTP specification. The organization is also improved as
the specification is split into seven parts; everything related to HTTP caching can be found in two
dedicated parts (P4 - Conditional Requests10 and P6 - Caching: Browser and intermediary caches).
As a web developer, you are strongly urged to read the specification. Its clarity and power - even
more than ten years after its creation - is invaluable. Don't be put-off by the appearance of the spec
- its contents are much more beautiful than its cover.

Expiration
The expiration model is the more efficient and straightforward of the two caching models and should be
used whenever possible. When a response is cached with an expiration, the cache will store the response
and return it directly without hitting the application until it expires.
The expiration model can be accomplished using one of two, nearly identical, HTTP headers: Expires
or Cache-Control.

Expiration with the Expires Header
According to the HTTP specification, "the Expires header field gives the date/time after which the
response is considered stale." The Expires header can be set with the setExpires() Response method.
It takes a DateTime instance as an argument:
Listing 14-6

1 $date = new DateTime();
2 $date->modify('+600 seconds');
3
4 $response->setExpires($date);

The resulting HTTP header will look like this:
Listing 14-7

1 Expires: Thu, 01 Mar 2011 16:00:00 GMT

The setExpires() method automatically converts the date to the GMT timezone as required by
the specification.

Note that in HTTP versions before 1.1 the origin server wasn't required to send the Date header.
Consequently the cache (e.g. the browser) might need to rely on the local clock to evaluate the Expires
header making the lifetime calculation vulnerable to clock skew. Another limitation of the Expires
header is that the specification states that "HTTP/1.1 servers should not send Expires dates more than
one year in the future."
8. http://tools.ietf.org/html/rfc2616
9. http://tools.ietf.org/wg/httpbis/
10. http://tools.ietf.org/html/draft-ietf-httpbis-p4-conditional

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 204

Expiration with the Cache-Control Header
Because of the Expires header limitations, most of the time, you should use the Cache-Control header
instead. Recall that the Cache-Control header is used to specify many different cache directives. For
expiration, there are two directives, max-age and s-maxage. The first one is used by all caches, whereas
the second one is only taken into account by shared caches:
Listing 14-8

1
2
3
4
5
6

// Sets the number of seconds after which the response
// should no longer be considered fresh
$response->setMaxAge(600);
// Same as above but only for shared caches
$response->setSharedMaxAge(600);

The Cache-Control header would take on the following format (it may have additional directives):
Listing 14-9

1 Cache-Control: max-age=600, s-maxage=600

Validation
When a resource needs to be updated as soon as a change is made to the underlying data, the expiration
model falls short. With the expiration model, the application won't be asked to return the updated
response until the cache finally becomes stale.
The validation model addresses this issue. Under this model, the cache continues to store responses. The
difference is that, for each request, the cache asks the application whether or not the cached response is
still valid. If the cache is still valid, your application should return a 304 status code and no content. This
tells the cache that it's ok to return the cached response.
Under this model, you only save CPU if you're able to determine that the cached response is still valid by
doing less work than generating the whole page again (see below for an implementation example).
The 304 status code means "Not Modified". It's important because with this status code the
response does not contain the actual content being requested. Instead, the response is simply a
light-weight set of directions that tells the cache that it should use its stored version.

Like with expiration, there are two different HTTP headers that can be used to implement the validation
model: ETag and Last-Modified.

Validation with the ETag Header
The ETag header is a string header (called the "entity-tag") that uniquely identifies one representation of
the target resource. It's entirely generated and set by your application so that you can tell, for example,
if the /about resource that's stored by the cache is up-to-date with what your application would return.
An ETag is like a fingerprint and is used to quickly compare if two different versions of a resource are
equivalent. Like fingerprints, each ETag must be unique across all representations of the same resource.
To see a simple implementation, generate the ETag as the md5 of the content:
Listing 14-10

1 use Symfony\Component\HttpFoundation\Request;
2
3 public function indexAction(Request $request)
4 {
5
$response = $this->render('MyBundle:Main:index.html.twig');
6
$response->setETag(md5($response->getContent()));

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 205

7
8
9
10
11 }

$response->setPublic(); // make sure the response is public/cacheable
$response->isNotModified($request);
return $response;

The isNotModified()11 method compares the If-None-Match sent with the Request with the ETag
header set on the Response. If the two match, the method automatically sets the Response status code to
304.
The cache sets the If-None-Match header on the request to the ETag of the original cached
response before sending the request back to the app. This is how the cache and server
communicate with each other and decide whether or not the resource has been updated since it
was cached.

This algorithm is simple enough and very generic, but you need to create the whole Response before
being able to compute the ETag, which is sub-optimal. In other words, it saves on bandwidth, but not
CPU cycles.
In the Optimizing your Code with Validation section, you'll see how validation can be used more
intelligently to determine the validity of a cache without doing so much work.
Symfony also supports weak ETags by passing true as the second argument to the setETag()12
method.

Validation with the Last-Modified Header
The Last-Modified header is the second form of validation. According to the HTTP specification,
"The Last-Modified header field indicates the date and time at which the origin server believes the
representation was last modified." In other words, the application decides whether or not the cached
content has been updated based on whether or not it's been updated since the response was cached.
For instance, you can use the latest update date for all the objects needed to compute the resource
representation as the value for the Last-Modified header value:
Listing 14-11

1 use Symfony\Component\HttpFoundation\Request;
2
3 public function showAction($articleSlug, Request $request)
4 {
5
// ...
6
7
$articleDate = new \DateTime($article->getUpdatedAt());
8
$authorDate = new \DateTime($author->getUpdatedAt());
9
10
$date = $authorDate > $articleDate ? $authorDate : $articleDate;
11
12
$response->setLastModified($date);
13
// Set response as public. Otherwise it will be private by default.
14
$response->setPublic();
15

11. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html#isNotModified()
12. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html#setETag()

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 206

16
17
18
19
20
21
22
23 }

if ($response->isNotModified($request)) {
return $response;
}

// ... do more work to populate the response with the full content
return $response;

The isNotModified()13 method compares the If-Modified-Since header sent by the request with the
Last-Modified header set on the response. If they are equivalent, the Response will be set to a 304 status
code.
The cache sets the If-Modified-Since header on the request to the Last-Modified of the original
cached response before sending the request back to the app. This is how the cache and server
communicate with each other and decide whether or not the resource has been updated since it
was cached.

Optimizing your Code with Validation
The main goal of any caching strategy is to lighten the load on the application. Put another way, the
less you do in your application to return a 304 response, the better. The Response::isNotModified()
method does exactly that by exposing a simple and efficient pattern:
Listing 14-12

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Request;
public function showAction($articleSlug, Request $request)
{
// Get the minimum information to compute
// the ETag or the Last-Modified value
// (based on the Request, data is retrieved from
// a database or a key-value store for instance)
$article = ...;

// create a Response with an ETag and/or a Last-Modified header
$response = new Response();
$response->setETag($article->computeETag());
$response->setLastModified($article->getPublishedAt());
// Set response as public. Otherwise it will be private by default.
$response->setPublic();
// Check that the Response is not modified for the given Request
if ($response->isNotModified($request)) {
// return the 304 Response immediately
return $response;
}
// do more work here - like retrieving more data
$comments = ...;
// or render a template with the $response you've already started

13. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html#isNotModified()

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 207

30
31
32
33
34
35 }

return $this->render(
'MyBundle:MyController:article.html.twig',
array('article' => $article, 'comments' => $comments),
$response
);

When the Response is not modified, the isNotModified() automatically sets the response status code
to 304, removes the content, and removes some headers that must not be present for 304 responses (see
setNotModified()14).

Varying the Response
So far, it's been assumed that each URI has exactly one representation of the target resource. By default,
HTTP caching is done by using the URI of the resource as the cache key. If two people request the same
URI of a cacheable resource, the second person will receive the cached version.
Sometimes this isn't enough and different versions of the same URI need to be cached based on one or
more request header values. For instance, if you compress pages when the client supports it, any given
URI has two representations: one when the client supports compression, and one when it does not. This
determination is done by the value of the Accept-Encoding request header.
In this case, you need the cache to store both a compressed and uncompressed version of the response
for the particular URI and return them based on the request's Accept-Encoding value. This is done by
using the Vary response header, which is a comma-separated list of different headers whose values trigger
a different representation of the requested resource:
Listing 14-13

1 Vary: Accept-Encoding, User-Agent

This particular Vary header would cache different versions of each resource based on the URI and
the value of the Accept-Encoding and User-Agent request header.

The Response object offers a clean interface for managing the Vary header:
Listing 14-14

1
2
3
4
5

// set one vary header
$response->setVary('Accept-Encoding');
// set multiple vary headers
$response->setVary(array('Accept-Encoding', 'User-Agent'));

The setVary() method takes a header name or an array of header names for which the response varies.

Expiration and Validation
You can of course use both validation and expiration within the same Response. As expiration wins over
validation, you can easily benefit from the best of both worlds. In other words, by using both expiration
and validation, you can instruct the cache to serve the cached content, while checking back at some
interval (the expiration) to verify that the content is still valid.

14. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html#setNotModified()

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 208

You can also define HTTP caching headers for expiration and validation by using annotations. See
the FrameworkExtraBundle documentation.

More Response Methods
The Response class provides many more methods related to the cache. Here are the most useful ones:
Listing 14-15

1
2
3
4
5

// Marks the Response stale
$response->expire();
// Force the response to return a proper 304 response with no content
$response->setNotModified();

Additionally, most cache-related HTTP headers can be set via the single setCache()15 method:
Listing 14-16

1 // Set cache settings in one call
2 $response->setCache(array(
3
'etag'
=> $etag,
4
'last_modified' => $date,
5
'max_age'
=> 10,
6
's_maxage'
=> 10,
7
'public'
=> true,
8
// 'private'
=> true,
9 ));

Using Edge Side Includes
Gateway caches are a great way to make your website perform better. But they have one limitation: they
can only cache whole pages. If you can't cache whole pages or if parts of a page has "more" dynamic parts,
you are out of luck. Fortunately, Symfony provides a solution for these cases, based on a technology
called ESI16, or Edge Side Includes. Akamai wrote this specification almost 10 years ago, and it allows
specific parts of a page to have a different caching strategy than the main page.
The ESI specification describes tags you can embed in your pages to communicate with the gateway
cache. Only one tag is implemented in Symfony, include, as this is the only useful one outside of Akamai
context:
Listing 14-17

1 <!DOCTYPE html>
2 <html>
3
<body>
4
<!-- ... some content -->
5
6
<!-- Embed the content of another page here -->
7
<esi:include src="http://..." />
8
9
<!-- ... more content -->
10
</body>
11 </html>

15. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html#setCache()
16. http://www.w3.org/TR/esi-lang

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 209

Notice from the example that each ESI tag has a fully-qualified URL. An ESI tag represents a page
fragment that can be fetched via the given URL.

When a request is handled, the gateway cache fetches the entire page from its cache or requests it from
the backend application. If the response contains one or more ESI tags, these are processed in the same
way. In other words, the gateway cache either retrieves the included page fragment from its cache or
requests the page fragment from the backend application again. When all the ESI tags have been resolved,
the gateway cache merges each into the main page and sends the final content to the client.
All of this happens transparently at the gateway cache level (i.e. outside of your application). As you'll
see, if you choose to take advantage of ESI tags, Symfony makes the process of including them almost
effortless.

Using ESI in Symfony
First, to use ESI, be sure to enable it in your application configuration:
Listing 14-18

1 # app/config/config.yml
2 framework:
3
# ...
4
esi: { enabled: true }

Now, suppose you have a page that is relatively static, except for a news ticker at the bottom of the
content. With ESI, you can cache the news ticker independent of the rest of the page.
Listing 14-19

1 public function indexAction()
2 {
3
$response = $this->render('MyBundle:MyController:index.html.twig');
4
// set the shared max age - which also marks the response as public
5
$response->setSharedMaxAge(600);
6
7
return $response;
8 }

In this example, the full-page cache has a lifetime of ten minutes. Next, include the news ticker in the
template by embedding an action. This is done via the render helper (See Embedding Controllers for more
details).
As the embedded content comes from another page (or controller for that matter), Symfony uses the
standard render helper to configure ESI tags:
Listing 14-20

1
2
3
4
5

{# you can use a controller reference #}
{{ render_esi(controller('...:news', { 'max': 5 })) }}
{# ... or a URL #}
{{ render_esi(url('latest_news', { 'max': 5 })) }}

By using the esi renderer (via the render_esi Twig function), you tell Symfony that the action should
be rendered as an ESI tag. You might be wondering why you would want to use a helper instead of just
writing the ESI tag yourself. That's because using a helper makes your application work even if there is
no gateway cache installed.
When using the default render function (or setting the renderer to inline), Symfony merges the
included page content into the main one before sending the response to the client. But if you use the esi
renderer (i.e. call render_esi), and if Symfony detects that it's talking to a gateway cache that supports

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 210

ESI, it generates an ESI include tag. But if there is no gateway cache or if it does not support ESI, Symfony
will just merge the included page content within the main one as it would have done if you had used
render.
Symfony detects if a gateway cache supports ESI via another Akamai specification that is supported
out of the box by the Symfony reverse proxy.

The embedded action can now specify its own caching rules, entirely independent of the master page.
Listing 14-21

1 public function newsAction($max)
2 {
3
// ...
4
5
$response->setSharedMaxAge(60);
6 }

With ESI, the full page cache will be valid for 600 seconds, but the news component cache will only last
for 60 seconds.
When using a controller reference, the ESI tag should reference the embedded action as an accessible
URL so the gateway cache can fetch it independently of the rest of the page. Symfony takes care of
generating a unique URL for any controller reference and it is able to route them properly thanks to the
FragmentListener17 that must be enabled in your configuration:
Listing 14-22

1 # app/config/config.yml
2 framework:
3
# ...
4
fragments: { path: /_fragment }

One great advantage of the ESI renderer is that you can make your application as dynamic as needed and
at the same time, hit the application as little as possible.
The listener only responds to local IP addresses or trusted proxies.

Once you start using ESI, remember to always use the s-maxage directive instead of max-age. As
the browser only ever receives the aggregated resource, it is not aware of the sub-components, and
so it will obey the max-age directive and cache the entire page. And you don't want that.

The render_esi helper supports two other useful options:
• alt: used as the alt attribute on the ESI tag, which allows you to specify an alternative URL
to be used if the src cannot be found;
• ignore_errors: if set to true, an onerror attribute will be added to the ESI with a value of
continue indicating that, in the event of a failure, the gateway cache will simply remove the
ESI tag silently.

17. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/EventListener/FragmentListener.html

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 211

Cache Invalidation
"There are only two hard things in Computer Science: cache invalidation and naming things." -Phil Karlton
You should never need to invalidate cached data because invalidation is already taken into account
natively in the HTTP cache models. If you use validation, you never need to invalidate anything by
definition; and if you use expiration and need to invalidate a resource, it means that you set the expires
date too far away in the future.
Since invalidation is a topic specific to each type of reverse proxy, if you don't worry about
invalidation, you can switch between reverse proxies without changing anything in your
application code.

Actually, all reverse proxies provide ways to purge cached data, but you should avoid them as much as
possible. The most standard way is to purge the cache for a given URL by requesting it with the special
PURGE HTTP method.
Here is how you can configure the Symfony reverse proxy to support the PURGE HTTP method:
Listing 14-23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

// app/AppCache.php
// ...
use Symfony\Bundle\FrameworkBundle\HttpCache\HttpCache;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
class AppCache extends HttpCache
{
protected function invalidate(Request $request, $catch = false)
{
if ('PURGE' !== $request->getMethod()) {
return parent::invalidate($request, $catch);
}
$response = new Response();
if ($this->getStore()->purge($request->getUri())) {
$response->setStatusCode(200, 'Purged');
} else {
$response->setStatusCode(404, 'Not purged');
}
return $response;
}
}

You must protect the PURGE HTTP method somehow to avoid random people purging your cached
data.

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 212

Summary
Symfony was designed to follow the proven rules of the road: HTTP. Caching is no exception. Mastering
the Symfony cache system means becoming familiar with the HTTP cache models and using them
effectively. This means that, instead of relying only on Symfony documentation and code examples, you
have access to a world of knowledge related to HTTP caching and gateway caches such as Varnish.

Learn more from the Cookbook
• How to Use Varnish to Speed up my Website

PDF brought to you by
generated on October 9, 2014

Chapter 14: HTTP Cache | 213

Chapter 15

Translations
The term "internationalization" (often abbreviated i18n1) refers to the process of abstracting strings
and other locale-specific pieces out of your application into a layer where they can be translated and
converted based on the user's locale (i.e. language and country). For text, this means wrapping each with
a function capable of translating the text (or "message") into the language of the user:
Listing 15-1

1
2
3
4
5
6

// text will *always* print out in English
echo 'Hello World';
// text can be translated into the end-user's language or
// default to English
echo $translator->trans('Hello World');

The term locale refers roughly to the user's language and country. It can be any string that your
application uses to manage translations and other format differences (e.g. currency format). The
ISO 639-12 language code, an underscore (_), then the ISO 3166-1 alpha-23 country code (e.g.
fr_FR for French/France) is recommended.

In this chapter, you'll learn how to use the Translation component in the Symfony framework. You can
read the Translation component documentation to learn even more. Overall, the process has several steps:
1. Enable and configure Symfony's translation service;
2. Abstract strings (i.e. "messages") by wrapping them in calls to the Translator ("Basic
Translation");
3. Create translation resources/files for each supported locale that translate each message in the
application;
4. Determine, set and manage the user's locale for the request and optionally on the user's entire
session.

1. http://en.wikipedia.org/wiki/Internationalization_and_localization
2. http://en.wikipedia.org/wiki/List_of_ISO_639-1_codes
3. http://en.wikipedia.org/wiki/ISO_3166-1#Current_codes

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 214

Configuration
Translations are handled by a translator service that uses the user's locale to lookup and return
translated messages. Before using it, enable the translator in your configuration:
Listing 15-2

1 # app/config/config.yml
2 framework:
3
translator: { fallback: en }

See Fallback Translation Locales for details on the fallback key and what Symfony does when it doesn't
find a translation.
The locale used in translations is the one stored on the request. This is typically set via a _locale attribute
on your routes (see The Locale and the URL).

Basic Translation
Translation of text is done through the translator service (Translator4). To translate a block of text
(called a message), use the trans()5 method. Suppose, for example, that you're translating a simple
message from inside a controller:
Listing 15-3

1
2
3
4
5
6
7
8
9

// ...
use Symfony\Component\HttpFoundation\Response;
public function indexAction()
{
$translated = $this->get('translator')->trans('Symfony is great');
return new Response($translated);
}

When this code is executed, Symfony will attempt to translate the message "Symfony is great" based
on the locale of the user. For this to work, you need to tell Symfony how to translate the message
via a "translation resource", which is usually a file that contains a collection of translations for a given
locale. This "dictionary" of translations can be created in several different formats, XLIFF being the
recommended format:
Listing 15-4

1
2
3
4
5
6
7
8
9
10
11
12

<!-- messages.fr.xliff -->
<?xml version="1.0"?>
<xliff version="1.2" xmlns="urn:oasis:names:tc:xliff:document:1.2">
<file source-language="en" datatype="plaintext" original="file.ext">
<body>
<trans-unit id="1">
<source>Symfony is great</source>
<target>J'aime Symfony</target>
</trans-unit>
</body>
</file>
</xliff>

For information on where these files should be located, see Translation Resource/File Names and
Locations.
4. http://api.symfony.com/2.3/Symfony/Component/Translation/Translator.html
5. http://api.symfony.com/2.3/Symfony/Component/Translation/Translator.html#trans()

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 215

Now, if the language of the user's locale is French (e.g. fr_FR or fr_BE), the message will be translated
into J'aime Symfony. You can also translate the message inside your templates.

The Translation Process
To actually translate the message, Symfony uses a simple process:
• The locale of the current user, which is stored on the request is determined;
• A catalog (e.g. big collection) of translated messages is loaded from translation resources
defined for the locale (e.g. fr_FR). Messages from the fallback locale are also loaded and
added to the catalog if they don't already exist. The end result is a large "dictionary" of
translations.
• If the message is located in the catalog, the translation is returned. If not, the translator returns
the original message.
When using the trans() method, Symfony looks for the exact string inside the appropriate message
catalog and returns it (if it exists).

Message Placeholders
Sometimes, a message containing a variable needs to be translated:
Listing 15-5

1
2
3
4
5
6
7
8

use Symfony\Component\HttpFoundation\Response;
public function indexAction($name)
{
$translated = $this->get('translator')->trans('Hello '.$name);
return new Response($translated);
}

However, creating a translation for this string is impossible since the translator will try to look up the
exact message, including the variable portions (e.g. "Hello Ryan" or "Hello Fabien").
For details on how to handle this situation, see Message Placeholders in the components documentation.
For how to do this in templates, see Twig Templates.

Pluralization
Another complication is when you have translations that may or may not be plural, based on some
variable:
Listing 15-6

1 There is one apple.
2 There are 5 apples.

To handle this, use the transChoice()6 method or the transchoice tag/filter in your template.
For much more information, see Pluralization in the Translation component documentation.

6. http://api.symfony.com/2.3/Symfony/Component/Translation/Translator.html#transChoice()

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 216

Translations in Templates
Most of the time, translation occurs in templates. Symfony provides native support for both Twig and
PHP templates.

Twig Templates
Symfony provides specialized Twig tags (trans and transchoice) to help with message translation of
static blocks of text:
Listing 15-7

1 {% trans %}Hello %name%{% endtrans %}
2
3 {% transchoice count %}
4
{0} There are no apples|{1} There is one apple|]1,Inf] There are %count% apples
5 {% endtranschoice %}

The transchoice tag automatically gets the %count% variable from the current context and passes it to
the translator. This mechanism only works when you use a placeholder following the %var% pattern.
The %var% notation of placeholders is required when translating in Twig templates using the tag.

If you need to use the percent character (%) in a string, escape it by doubling it: {% trans
%}Percent: %percent%%%{% endtrans %}

You can also specify the message domain and pass some additional variables:
Listing 15-8

1
2
3
4
5
6
7

{% trans with {'%name%': 'Fabien'} from "app" %}Hello %name%{% endtrans %}
{% trans with {'%name%': 'Fabien'} from "app" into "fr" %}Hello %name%{% endtrans %}
{% transchoice count with {'%name%': 'Fabien'} from "app" %}
{0} %name%, there are no apples|{1} %name%, there is one apple|]1,Inf] %name%, there
are %count% apples
{% endtranschoice %}

The trans and transchoice filters can be used to translate variable texts and complex expressions:
Listing 15-9

1
2
3
4
5
6
7

{{ message|trans }}
{{ message|transchoice(5) }}
{{ message|trans({'%name%': 'Fabien'}, "app") }}
{{ message|transchoice(5, {'%name%': 'Fabien'}, 'app') }}

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 217

Using the translation tags or filters have the same effect, but with one subtle difference: automatic
output escaping is only applied to translations using a filter. In other words, if you need to be
sure that your translated message is not output escaped, you must apply the raw filter after the
translation filter:
Listing 15-10

1
2
3
4
5
6
7
8
9
10

{# text translated between tags is never escaped #}
{% trans %}
<h3>foo</h3>
{% endtrans %}
{% set message = '<h3>foo</h3>' %}

{# strings and variables translated via a filter are escaped by default #}
{{ message|trans|raw }}
{{ '<h3>bar</h3>'|trans|raw }}

You can set the translation domain for an entire Twig template with a single tag:
Listing 15-11

1 {% trans_default_domain "app" %}

Note that this only influences the current template, not any "included" template (in order to avoid
side effects).

New in version 2.1: The trans_default_domain tag was introduced in Symfony 2.1.

PHP Templates
The translator service is accessible in PHP templates through the translator helper:
Listing 15-12

1 <?php echo $view['translator']->trans('Symfony is great') ?>
2
3 <?php echo $view['translator']->transChoice(
4
'{0} There are no apples|{1} There is one apple|]1,Inf[ There are %count% apples',
5
10,
6
array('%count%' => 10)
7 ) ?>

Translation Resource/File Names and Locations
Symfony looks for message files (i.e. translations) in the following locations:
• the app/Resources/translations directory;
• the app/Resources/<bundle name>/translations directory;
• the Resources/translations/ directory inside of any bundle.
The locations are listed here with the highest priority first. That is, you can override the translation
messages of a bundle in any of the top 2 directories.

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 218

The override mechanism works at a key level: only the overridden keys need to be listed in a higher
priority message file. When a key is not found in a message file, the translator will automatically fall back
to the lower priority message files.
The filename of the translation files is also important: each message file must be named according to the
following path: domain.locale.loader:
• domain: An optional way to organize messages into groups (e.g. admin, navigation or the
default messages) - see Using Message Domains;
• locale: The locale that the translations are for (e.g. en_GB, en, etc);
• loader: How Symfony should load and parse the file (e.g. xliff, php, yml, etc).
The loader can be the name of any registered loader. By default, Symfony provides many loaders,
including:
• xliff: XLIFF file;
• php: PHP file;
• yml: YAML file.
The choice of which loader to use is entirely up to you and is a matter of taste. For more options, see
Loading Message Catalogs.
You can also store translations in a database, or any other storage by providing a custom class
implementing the LoaderInterface7 interface. See the translation.loader tag for more information.

Each time you create a new translation resource (or install a bundle that includes a translation
resource), be sure to clear your cache so that Symfony can discover the new translation resources:
Listing 15-13

1 $ php app/console cache:clear

Fallback Translation Locales
Imagine that the user's locale is fr_FR and that you're translating the key Symfony is great. To find the
French translation, Symfony actually checks translation resources for several different locales:
1. First, Symfony looks for the translation in a fr_FR translation resource (e.g.
messages.fr_FR.xliff);
2. If it wasn't found, Symfony looks for the translation in a fr translation resource (e.g.
messages.fr.xliff);
3. If the translation still isn't found, Symfony uses the fallback configuration parameter, which
defaults to en (see Configuration).

Handling the User's Locale
The locale of the current user is stored in the request and is accessible via the request object:
Listing 15-14

1 use Symfony\Component\HttpFoundation\Request;
2

7. http://api.symfony.com/2.3/Symfony/Component/Translation/Loader/LoaderInterface.html

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 219

3 public function indexAction(Request $request)
4 {
5
$locale = $request->getLocale();
6
7
$request->setLocale('en_US');
8 }

Read Making the Locale "Sticky" during a User's Session to learn, how to store the user's locale in
the session.

See the The Locale and the URL section below about setting the locale via routing.

The Locale and the URL
Since you can store the locale of the user in the session, it may be tempting to use the same URL
to display a resource in many different languages based on the user's locale. For example,
http://www.example.com/contact could show content in English for one user and French for another
user. Unfortunately, this violates a fundamental rule of the Web: that a particular URL returns the same
resource regardless of the user. To further muddy the problem, which version of the content would be
indexed by search engines?
A better policy is to include the locale in the URL. This is fully-supported by the routing system using the
special _locale parameter:
Listing 15-15

1 # app/config/routing.yml
2 contact:
3
path:
/{_locale}/contact
4
defaults: { _controller: AcmeDemoBundle:Contact:index }
5
requirements:
6
_locale: en|fr|de

When using the special _locale parameter in a route, the matched locale will automatically be set on the
Request and can be retrieved via the getLocale()8 method. In other words, if a user visits the URI /fr/
contact, the locale fr will automatically be set as the locale for the current request.
You can now use the locale to create routes to other translated pages in your application.

Setting a default Locale
What if the user's locale hasn't been determined? You can guarantee that a locale is set on each user's
request by defining a default_locale for the framework:
Listing 15-16

1 # app/config/config.yml
2 framework:
3
default_locale: en

New in version 2.1: The default_locale parameter was defined under the session key originally,
however, as of 2.1 this has been moved. This is because the locale is now set on the request instead
of the session.

8. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Request.html#getLocale()

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 220

Translating Constraint Messages
If you're using validation constraints with the form framework, then translating the error messages is
easy: simply create a translation resource for the validators domain.
To start, suppose you've created a plain-old-PHP object that you need to use somewhere in your
application:
Listing 15-17

1
2
3
4
5
6
7

// src/Acme/BlogBundle/Entity/Author.php
namespace Acme\BlogBundle\Entity;
class Author
{
public $name;
}

Add constraints though any of the supported methods. Set the message option to the translation source
text. For example, to guarantee that the $name property is not empty, add the following:
Listing 15-18

1 # src/Acme/BlogBundle/Resources/config/validation.yml
2 Acme\BlogBundle\Entity\Author:
3
properties:
4
name:
5
- NotBlank: { message: "author.name.not_blank" }

Create a translation file under the validators catalog for the constraint messages, typically in the
Resources/translations/ directory of the bundle.
Listing 15-19

1
2
3
4
5
6
7
8
9
10
11
12

<!-- validators.en.xliff -->
<?xml version="1.0"?>
<xliff version="1.2" xmlns="urn:oasis:names:tc:xliff:document:1.2">
<file source-language="en" datatype="plaintext" original="file.ext">
<body>
<trans-unit id="1">
<source>author.name.not_blank</source>
<target>Please enter an author name.</target>
</trans-unit>
</body>
</file>
</xliff>

Translating Database Content
The translation of database content should be handled by Doctrine through the Translatable Extension9
or the Translatable Behavior10 (PHP 5.4+). For more information, see the documentation for these
libraries.

9. https://github.com/l3pp4rd/DoctrineExtensions
10. https://github.com/KnpLabs/DoctrineBehaviors

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 221

Summary
With the Symfony Translation component, creating an internationalized application no longer needs to
be a painful process and boils down to just a few basic steps:
• Abstract messages in your application by wrapping each in either the trans()11 or
transChoice()12 methods (learn about this in Using the Translator);
• Translate each message into multiple locales by creating translation message files. Symfony
discovers and processes each file because its name follows a specific convention;
• Manage the user's locale, which is stored on the request, but can also be set on the user's
session.

11. http://api.symfony.com/2.3/Symfony/Component/Translation/Translator.html#trans()
12. http://api.symfony.com/2.3/Symfony/Component/Translation/Translator.html#transChoice()

PDF brought to you by
generated on October 9, 2014

Chapter 15: Translations | 222

Chapter 16

Service Container
A modern PHP application is full of objects. One object may facilitate the delivery of email messages
while another may allow you to persist information into a database. In your application, you may create
an object that manages your product inventory, or another object that processes data from a third-party
API. The point is that a modern application does many things and is organized into many objects that
handle each task.
This chapter is about a special PHP object in Symfony that helps you instantiate, organize and retrieve
the many objects of your application. This object, called a service container, will allow you to standardize
and centralize the way objects are constructed in your application. The container makes your life easier,
is super fast, and emphasizes an architecture that promotes reusable and decoupled code. Since all core
Symfony classes use the container, you'll learn how to extend, configure and use any object in Symfony.
In large part, the service container is the biggest contributor to the speed and extensibility of Symfony.
Finally, configuring and using the service container is easy. By the end of this chapter, you'll be
comfortable creating your own objects via the container and customizing objects from any third-party
bundle. You'll begin writing code that is more reusable, testable and decoupled, simply because the
service container makes writing good code so easy.
If you want to know a lot more after reading this chapter, check out the DependencyInjection
component documentation.

What is a Service?
Put simply, a Service is any PHP object that performs some sort of "global" task. It's a purposefully-generic
name used in computer science to describe an object that's created for a specific purpose (e.g. delivering
emails). Each service is used throughout your application whenever you need the specific functionality it
provides. You don't have to do anything special to make a service: simply write a PHP class with some
code that accomplishes a specific task. Congratulations, you've just created a service!

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 223

As a rule, a PHP object is a service if it is used globally in your application. A single Mailer service
is used globally to send email messages whereas the many Message objects that it delivers are not
services. Similarly, a Product object is not a service, but an object that persists Product objects to
a database is a service.

So what's the big deal then? The advantage of thinking about "services" is that you begin to think about
separating each piece of functionality in your application into a series of services. Since each service does
just one job, you can easily access each service and use its functionality wherever you need it. Each service
can also be more easily tested and configured since it's separated from the other functionality in your
application. This idea is called service-oriented architecture1 and is not unique to Symfony or even PHP.
Structuring your application around a set of independent service classes is a well-known and trusted
object-oriented best-practice. These skills are key to being a good developer in almost any language.

What is a Service Container?
A Service Container (or dependency injection container) is simply a PHP object that manages the
instantiation of services (i.e. objects).
For example, suppose you have a simple PHP class that delivers email messages. Without a service
container, you must manually create the object whenever you need it:
Listing 16-1

1 use Acme\HelloBundle\Mailer;
2
3 $mailer = new Mailer('sendmail');
4 $mailer->send('ryan@example.com', ...);

This is easy enough. The imaginary Mailer class allows you to configure the method used to deliver the
email messages (e.g. sendmail, smtp, etc). But what if you wanted to use the mailer service somewhere
else? You certainly don't want to repeat the mailer configuration every time you need to use the Mailer
object. What if you needed to change the transport from sendmail to smtp everywhere in the
application? You'd need to hunt down every place you create a Mailer service and change it.

Creating/Configuring Services in the Container
A better answer is to let the service container create the Mailer object for you. In order for this to work,
you must teach the container how to create the Mailer service. This is done via configuration, which can
be specified in YAML, XML or PHP:
Listing 16-2

1 # app/config/config.yml
2 services:
3
my_mailer:
4
class:
Acme\HelloBundle\Mailer
5
arguments:
[sendmail]

When Symfony initializes, it builds the service container using the application configuration
(app/config/config.yml by default). The exact file that's loaded is dictated by the
AppKernel::registerContainerConfiguration() method, which loads an environment-specific
configuration file (e.g. config_dev.yml for the dev environment or config_prod.yml for prod).

1. http://wikipedia.org/wiki/Service-oriented_architecture

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 224

An instance of the Acme\HelloBundle\Mailer object is now available via the service container. The
container is available in any traditional Symfony controller where you can access the services of the
container via the get() shortcut method:
Listing 16-3

1 class HelloController extends Controller
2 {
3
// ...
4
5
public function sendEmailAction()
6
{
7
// ...
8
$mailer = $this->get('my_mailer');
9
$mailer->send('ryan@foobar.net', ...);
10
}
11 }

When you ask for the my_mailer service from the container, the container constructs the object and
returns it. This is another major advantage of using the service container. Namely, a service is never
constructed until it's needed. If you define a service and never use it on a request, the service is never
created. This saves memory and increases the speed of your application. This also means that there's very
little or no performance hit for defining lots of services. Services that are never used are never constructed.
As an added bonus, the Mailer service is only created once and the same instance is returned each time
you ask for the service. This is almost always the behavior you'll need (it's more flexible and powerful),
but you'll learn later how you can configure a service that has multiple instances in the "How to Work
with Scopes" cookbook article.
In this example, the controller extends Symfony's base Controller, which gives you access to the
service container itself. You can then use the get method to locate and retrieve the my_mailer
service from the service container. You can also define your controllers as services. This is a bit
more advanced and not necessary, but it allows you to inject only the services you need into your
controller.

Service Parameters
The creation of new services (i.e. objects) via the container is pretty straightforward. Parameters make
defining services more organized and flexible:
Listing 16-4

1 # app/config/config.yml
2 parameters:
3
my_mailer.class:
Acme\HelloBundle\Mailer
4
my_mailer.transport: sendmail
5
6 services:
7
my_mailer:
8
class:
"%my_mailer.class%"
9
arguments:
["%my_mailer.transport%"]

The end result is exactly the same as before - the difference is only in how you defined the service. By
surrounding the my_mailer.class and my_mailer.transport strings in percent (%) signs, the container
knows to look for parameters with those names. When the container is built, it looks up the value of each
parameter and uses it in the service definition.

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 225

If you want to use a string that starts with an @ sign as a parameter value (i.e. a very safe mailer
password) in a YAML file, you need to escape it by adding another @ sign (this only applies to the
YAML format):
Listing 16-5

1 # app/config/parameters.yml
2 parameters:
3
# This will be parsed as string "@securepass"
4
mailer_password: "@@securepass"

The percent sign inside a parameter or argument, as part of the string, must be escaped with
another percent sign:
Listing 16-6

<argument type="string">http://symfony.com/?foo=%%s&bar=%%d</argument>

You may receive a ScopeWideningInjectionException2 when passing the request service as an
argument. To understand this problem better and learn how to solve it, refer to the cookbook
article How to Work with Scopes.

The purpose of parameters is to feed information into services. Of course there was nothing wrong with
defining the service without using any parameters. Parameters, however, have several advantages:
• separation and organization of all service "options" under a single parameters key;
• parameter values can be used in multiple service definitions;
• when creating a service in a bundle (this follows shortly), using parameters allows the service
to be easily customized in your application.
The choice of using or not using parameters is up to you. High-quality third-party bundles will always
use parameters as they make the service stored in the container more configurable. For the services in
your application, however, you may not need the flexibility of parameters.

Array Parameters
Parameters can also contain array values. See Array Parameters.

Importing other Container Configuration Resources
In this section, service configuration files are referred to as resources. This is to highlight the fact
that, while most configuration resources will be files (e.g. YAML, XML, PHP), Symfony is so
flexible that configuration could be loaded from anywhere (e.g. a database or even via an external
web service).

The service container is built using a single configuration resource (app/config/config.yml by default).
All other service configuration (including the core Symfony and third-party bundle configuration) must
be imported from inside this file in one way or another. This gives you absolute flexibility over the
services in your application.

2. http://api.symfony.com/2.3/Symfony/Component/DependencyInjection/Exception/ScopeWideningInjectionException.html

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 226

External service configuration can be imported in two different ways. The first - and most common
method - is via the imports directive. Later, you'll learn about the second method, which is the flexible
and preferred method for importing service configuration from third-party bundles.

Importing Configuration with imports
So far, you've placed your my_mailer service container definition directly in the application configuration
file (e.g. app/config/config.yml). Of course, since the Mailer class itself lives inside the
AcmeHelloBundle, it makes more sense to put the my_mailer container definition inside the bundle as
well.
First, move the my_mailer container definition into a new container resource file inside
AcmeHelloBundle. If the Resources or Resources/config directories don't exist, create them.
Listing 16-7

1 # src/Acme/HelloBundle/Resources/config/services.yml
2 parameters:
3
my_mailer.class:
Acme\HelloBundle\Mailer
4
my_mailer.transport: sendmail
5
6 services:
7
my_mailer:
8
class:
"%my_mailer.class%"
9
arguments:
["%my_mailer.transport%"]

The definition itself hasn't changed, only its location. Of course the service container doesn't know about
the new resource file. Fortunately, you can easily import the resource file using the imports key in the
application configuration.
Listing 16-8

1 # app/config/config.yml
2 imports:
3
- { resource: "@AcmeHelloBundle/Resources/config/services.yml" }

Due to the way in which parameters are resolved, you cannot use them to build paths in imports
dynamically. This means that something like the following doesn't work:
Listing 16-9

1 # app/config/config.yml
2 imports:
3
- { resource: "%kernel.root_dir%/parameters.yml" }

The imports directive allows your application to include service container configuration resources from
any other location (most commonly from bundles). The resource location, for files, is the absolute path
to the resource file. The special @AcmeHello syntax resolves the directory path of the AcmeHelloBundle
bundle. This helps you specify the path to the resource without worrying later if you move the
AcmeHelloBundle to a different directory.

Importing Configuration via Container Extensions
When developing in Symfony, you'll most commonly use the imports directive to import container
configuration from the bundles you've created specifically for your application. Third-party bundle
container configuration, including Symfony core services, are usually loaded using another method that's
more flexible and easy to configure in your application.
Here's how it works. Internally, each bundle defines its services very much like you've seen so far.
Namely, a bundle uses one or more configuration resource files (usually XML) to specify the parameters
PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 227

and services for that bundle. However, instead of importing each of these resources directly from your
application configuration using the imports directive, you can simply invoke a service container extension
inside the bundle that does the work for you. A service container extension is a PHP class created by the
bundle author to accomplish two things:
• import all service container resources needed to configure the services for the bundle;
• provide semantic, straightforward configuration so that the bundle can be configured without
interacting with the flat parameters of the bundle's service container configuration.
In other words, a service container extension configures the services for a bundle on your behalf. And as
you'll see in a moment, the extension provides a sensible, high-level interface for configuring the bundle.
Take the FrameworkBundle - the core Symfony framework bundle - as an example. The presence of
the following code in your application configuration invokes the service container extension inside the
FrameworkBundle:
Listing 16-10

1 # app/config/config.yml
2 framework:
3
secret:
xxxxxxxxxx
4
form:
true
5
csrf_protection: true
6
router:
{ resource: "%kernel.root_dir%/config/routing.yml" }
7
# ...

When the configuration is parsed, the container looks for an extension that can handle the framework
configuration directive. The extension in question, which lives in the FrameworkBundle, is invoked and
the service configuration for the FrameworkBundle is loaded. If you remove the framework key from your
application configuration file entirely, the core Symfony services won't be loaded. The point is that you're
in control: the Symfony framework doesn't contain any magic or perform any actions that you don't have
control over.
Of course you can do much more than simply "activate" the service container extension of the
FrameworkBundle. Each extension allows you to easily customize the bundle, without worrying about
how the internal services are defined.
In this case, the extension allows you to customize the error_handler, csrf_protection, router
configuration and much more. Internally, the FrameworkBundle uses the options specified here to define
and configure the services specific to it. The bundle takes care of creating all the necessary parameters
and services for the service container, while still allowing much of the configuration to be easily
customized. As an added bonus, most service container extensions are also smart enough to perform
validation - notifying you of options that are missing or the wrong data type.
When installing or configuring a bundle, see the bundle's documentation for how the services for the
bundle should be installed and configured. The options available for the core bundles can be found inside
the Reference Guide.
Natively, the service container only recognizes the parameters, services, and imports directives.
Any other directives are handled by a service container extension.

If you want to expose user friendly configuration in your own bundles, read the "How to Load Service
Configuration inside a Bundle" cookbook recipe.

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 228

Referencing (Injecting) Services
So far, the original my_mailer service is simple: it takes just one argument in its constructor, which is
easily configurable. As you'll see, the real power of the container is realized when you need to create a
service that depends on one or more other services in the container.
As an example, suppose you have a new service, NewsletterManager, that helps to manage the
preparation and delivery of an email message to a collection of addresses. Of course the my_mailer
service is already really good at delivering email messages, so you'll use it inside NewsletterManager to
handle the actual delivery of the messages. This pretend class might look something like this:
Listing 16-11

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

// src/Acme/HelloBundle/Newsletter/NewsletterManager.php
namespace Acme\HelloBundle\Newsletter;
use Acme\HelloBundle\Mailer;
class NewsletterManager
{
protected $mailer;
public function __construct(Mailer $mailer)
{
$this->mailer = $mailer;
}

// ...
}

Without using the service container, you can create a new NewsletterManager fairly easily from inside a
controller:
Listing 16-12

1
2
3
4
5
6
7
8
9
10

use Acme\HelloBundle\Newsletter\NewsletterManager;

// ...
public function sendNewsletterAction()
{
$mailer = $this->get('my_mailer');
$newsletter = new NewsletterManager($mailer);
// ...
}

This approach is fine, but what if you decide later that the NewsletterManager class needs a second or
third constructor argument? What if you decide to refactor your code and rename the class? In both cases,
you'd need to find every place where the NewsletterManager is instantiated and modify it. Of course,
the service container gives you a much more appealing option:
Listing 16-13

1 # src/Acme/HelloBundle/Resources/config/services.yml
2 parameters:
3
# ...
4
newsletter_manager.class: Acme\HelloBundle\Newsletter\NewsletterManager
5
6 services:
7
my_mailer:
8
# ...
9
newsletter_manager:

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 229

10
11

class:
"%newsletter_manager.class%"
arguments: ["@my_mailer"]

In YAML, the special @my_mailer syntax tells the container to look for a service named my_mailer and to
pass that object into the constructor of NewsletterManager. In this case, however, the specified service
my_mailer must exist. If it does not, an exception will be thrown. You can mark your dependencies as
optional - this will be discussed in the next section.
Using references is a very powerful tool that allows you to create independent service classes with welldefined dependencies. In this example, the newsletter_manager service needs the my_mailer service in
order to function. When you define this dependency in the service container, the container takes care of
all the work of instantiating the classes.

Optional Dependencies: Setter Injection
Injecting dependencies into the constructor in this manner is an excellent way of ensuring that the
dependency is available to use. If you have optional dependencies for a class, then "setter injection" may
be a better option. This means injecting the dependency using a method call rather than through the
constructor. The class would look like this:
Listing 16-14

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

namespace Acme\HelloBundle\Newsletter;
use Acme\HelloBundle\Mailer;
class NewsletterManager
{
protected $mailer;
public function setMailer(Mailer $mailer)
{
$this->mailer = $mailer;
}

// ...
}

Injecting the dependency by the setter method just needs a change of syntax:
Listing 16-15

1 # src/Acme/HelloBundle/Resources/config/services.yml
2 parameters:
3
# ...
4
newsletter_manager.class: Acme\HelloBundle\Newsletter\NewsletterManager
5
6 services:
7
my_mailer:
8
# ...
9
newsletter_manager:
10
class:
"%newsletter_manager.class%"
11
calls:
12
- [setMailer, ["@my_mailer"]]

The approaches presented in this section are called "constructor injection" and "setter injection".
The Symfony service container also supports "property injection".

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 230

Making References optional
Sometimes, one of your services may have an optional dependency, meaning that the dependency is
not required for your service to work properly. In the example above, the my_mailer service must exist,
otherwise an exception will be thrown. By modifying the newsletter_manager service definition, you
can make this reference optional. The container will then inject it if it exists and do nothing if it doesn't:
Listing 16-16

1 # src/Acme/HelloBundle/Resources/config/services.yml
2 parameters:
3
# ...
4
5 services:
6
newsletter_manager:
7
class:
"%newsletter_manager.class%"
8
arguments: ["@?my_mailer"]

In YAML, the special @? syntax tells the service container that the dependency is optional. Of course, the
NewsletterManager must also be rewritten to allow for an optional dependency:
Listing 16-17

1 public function __construct(Mailer $mailer = null)
2 {
3
// ...
4 }

Core Symfony and Third-Party Bundle Services
Since Symfony and all third-party bundles configure and retrieve their services via the container, you can
easily access them or even use them in your own services. To keep things simple, Symfony by default
does not require that controllers be defined as services. Furthermore, Symfony injects the entire service
container into your controller. For example, to handle the storage of information on a user's session,
Symfony provides a session service, which you can access inside a standard controller as follows:
Listing 16-18

1 public function indexAction($bar)
2 {
3
$session = $this->get('session');
4
$session->set('foo', $bar);
5
6
// ...
7 }

In Symfony, you'll constantly use services provided by the Symfony core or other third-party bundles
to perform tasks such as rendering templates (templating), sending emails (mailer), or accessing
information on the request (request).
You can take this a step further by using these services inside services that you've created for your
application. Beginning by modifying the NewsletterManager to use the real Symfony mailer service
(instead of the pretend my_mailer). Also pass the templating engine service to the NewsletterManager
so that it can generate the email content via a template:
Listing 16-19

1 namespace Acme\HelloBundle\Newsletter;
2
3 use Symfony\Component\Templating\EngineInterface;
4

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 231

5 class NewsletterManager
6 {
7
protected $mailer;
8
9
protected $templating;
10
11
public function __construct(
12
\Swift_Mailer $mailer,
13
EngineInterface $templating
14
) {
15
$this->mailer = $mailer;
16
$this->templating = $templating;
17
}
18
19
// ...
20 }

Configuring the service container is easy:
Listing 16-20

1 # src/Acme/HelloBundle/Resources/config/services.yml
2 services:
3
newsletter_manager:
4
class:
"%newsletter_manager.class%"
5
arguments: ["@mailer", "@templating"]

The newsletter_manager service now has access to the core mailer and templating services. This is a
common way to create services specific to your application that leverage the power of different services
within the framework.
Be sure that the swiftmailer entry appears in your application configuration. As was mentioned
in Importing Configuration via Container Extensions, the swiftmailer key invokes the service
extension from the SwiftmailerBundle, which registers the mailer service.

Tags
In the same way that a blog post on the Web might be tagged with things such as "Symfony" or "PHP",
services configured in your container can also be tagged. In the service container, a tag implies that the
service is meant to be used for a specific purpose. Take the following example:
Listing 16-21

1 # app/config/services.yml
2 services:
3
foo.twig.extension:
4
class: Acme\HelloBundle\Extension\FooExtension
5
tags:
6
- { name: twig.extension }

The twig.extension tag is a special tag that the TwigBundle uses during configuration. By giving
the service this twig.extension tag, the bundle knows that the foo.twig.extension service should
be registered as a Twig extension with Twig. In other words, Twig finds all services tagged with
twig.extension and automatically registers them as extensions.
Tags, then, are a way to tell Symfony or other third-party bundles that your service should be registered
or used in some special way by the bundle.

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 232

For a list of all the tags available in the core Symfony Framework, check out The Dependency Injection
Tags. Each of these has a different effect on your service and many tags require additional arguments
(beyond just the name parameter).

Debugging Services
You can find out what services are registered with the container using the console. To show all services
and the class for each service, run:
Listing 16-22

1 $ php app/console container:debug

By default only public services are shown, but you can also view private services:
Listing 16-23

1 $ php app/console container:debug --show-private

If a private service is only used as an argument to just one other service, it won't be displayed by
the container:debug command, even when using the --show-private option. See Inline Private
Services for more details.

You can get more detailed information about a particular service by specifying its id:
Listing 16-24

1 $ php app/console container:debug my_mailer

Learn more











Introduction to Parameters
Compiling the Container
Working with Container Service Definitions
Using a Factory to Create Services
Managing common Dependencies with parent Services
Working with Tagged Services
How to Define Controllers as Services
How to Work with Scopes
How to Work with Compiler Passes in Bundles
Advanced Container Configuration

PDF brought to you by
generated on October 9, 2014

Chapter 16: Service Container | 233

Chapter 17

Performance
Symfony is fast, right out of the box. Of course, if you really need speed, there are many ways that you
can make Symfony even faster. In this chapter, you'll explore many of the most common and powerful
ways to make your Symfony application even faster.

Use a Byte Code Cache (e.g. APC)
One of the best (and easiest) things that you should do to improve your performance is to use a "byte
code cache". The idea of a byte code cache is to remove the need to constantly recompile the PHP source
code. There are a number of byte code caches1 available, some of which are open source. The most widely
used byte code cache is probably APC2
Using a byte code cache really has no downside, and Symfony has been architected to perform really well
in this type of environment.

Further Optimizations
Byte code caches usually monitor the source files for changes. This ensures that if the source of a
file changes, the byte code is recompiled automatically. This is really convenient, but obviously adds
overhead.
For this reason, some byte code caches offer an option to disable these checks. Obviously, when disabling
these checks, it will be up to the server admin to ensure that the cache is cleared whenever any source
files change. Otherwise, the updates you've made won't be seen.
For example, to disable these checks in APC, simply add apc.stat=0 to your php.ini configuration.

1. http://en.wikipedia.org/wiki/List_of_PHP_accelerators
2. http://php.net/manual/en/book.apc.php

PDF brought to you by
generated on October 9, 2014

Chapter 17: Performance | 234

Use Composer's Class Map Functionality
By default, the Symfony standard edition uses Composer's autoloader in the autoload.php3 file. This
autoloader is easy to use, as it will automatically find any new classes that you've placed in the registered
directories.
Unfortunately, this comes at a cost, as the loader iterates over all configured namespaces to find a
particular file, making file_exists calls until it finally finds the file it's looking for.
The simplest solution is to tell Composer to build a "class map" (i.e. a big array of the locations of all the
classes). This can be done from the command line, and might become part of your deploy process:
Listing 17-1

1 $ php composer.phar dump-autoload --optimize

Internally, this builds the big class map array in vendor/composer/autoload_classmap.php.

Caching the Autoloader with APC
Another solution is to cache the location of each class after it's located the first time. Symfony comes with
a class - ApcClassLoader4 - that does exactly this. To use it, just adapt your front controller file. If you're
using the Standard Distribution, this code should already be available as comments in this file:
Listing 17-2

1
2
3
4
5
6
7
8
9
10
11
12
13
14

// app.php
// ...
$loader = require_once __DIR__.'/../app/bootstrap.php.cache';

// Use APC for autoloading to improve performance
// Change 'sf2' by the prefix you want in order
// to prevent key conflict with another application
/*
$loader = new ApcClassLoader('sf2', $loader);
$loader->register(true);
*/
// ...

For more details, see Cache a Class Loader.
When using the APC autoloader, if you add new classes, they will be found automatically and
everything will work the same as before (i.e. no reason to "clear" the cache). However, if you
change the location of a particular namespace or prefix, you'll need to flush your APC cache.
Otherwise, the autoloader will still be looking at the old location for all classes inside that
namespace.

Use Bootstrap Files
To ensure optimal flexibility and code reuse, Symfony applications leverage a variety of classes and 3rd
party components. But loading all of these classes from separate files on each request can result in some
overhead. To reduce this overhead, the Symfony Standard Edition provides a script to generate a so3. https://github.com/symfony/symfony-standard/blob/master/app/autoload.php
4. http://api.symfony.com/2.3/Symfony/Component/ClassLoader/ApcClassLoader.html

PDF brought to you by
generated on October 9, 2014

Chapter 17: Performance | 235

called bootstrap file5, consisting of multiple classes definitions in a single file. By including this file (which
contains a copy of many of the core classes), Symfony no longer needs to include any of the source files
containing those classes. This will reduce disc IO quite a bit.
If you're using the Symfony Standard Edition, then you're probably already using the bootstrap file. To be
sure, open your front controller (usually app.php) and check to make sure that the following line exists:
Listing 17-3

1 require_once __DIR__.'/../app/bootstrap.php.cache';

Note that there are two disadvantages when using a bootstrap file:
• the file needs to be regenerated whenever any of the original sources change (i.e. when you
update the Symfony source or vendor libraries);
• when debugging, one will need to place break points inside the bootstrap file.
If you're using the Symfony Standard Edition, the bootstrap file is automatically rebuilt after updating the
vendor libraries via the php composer.phar install command.

Bootstrap Files and Byte Code Caches
Even when using a byte code cache, performance will improve when using a bootstrap file since there
will be fewer files to monitor for changes. Of course if this feature is disabled in the byte code cache (e.g.
apc.stat=0 in APC), there is no longer a reason to use a bootstrap file.

5. https://github.com/sensio/SensioDistributionBundle/blob/master/Composer/ScriptHandler.php

PDF brought to you by
generated on October 9, 2014

Chapter 17: Performance | 236

Chapter 18

Internals
Looks like you want to understand how Symfony works and how to extend it. That makes me very
happy! This section is an in-depth explanation of the Symfony internals.
You only need to read this section if you want to understand how Symfony works behind the
scenes, or if you want to extend Symfony.

Overview
The Symfony code is made of several independent layers. Each layer is built on top of the previous one.
Autoloading is not managed by the framework directly; it's done by using Composer's autoloader
(vendor/autoload.php), which is included in the app/autoload.php file.

HttpFoundation Component
The deepest level is the HttpFoundation1 component. HttpFoundation provides the main objects needed
to deal with HTTP. It is an object-oriented abstraction of some native PHP functions and variables:
• The Request2 class abstracts the main PHP global variables like $_GET, $_POST, $_COOKIE,
$_FILES, and $_SERVER;
• The Response3 class abstracts some PHP functions like header(), setcookie(), and echo;
• The Session4 class and SessionStorageInterface5 interface abstract session management
session_*() functions.
1. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation.html
2. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Request.html
3. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html
4. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Session.html
5. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/SessionStorage/SessionStorageInterface.html

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 237

Read more about the HttpFoundation component.

HttpKernel Component
On top of HttpFoundation is the HttpKernel6 component. HttpKernel handles the dynamic part of
HTTP; it is a thin wrapper on top of the Request and Response classes to standardize the way requests
are handled. It also provides extension points and tools that makes it the ideal starting point to create a
Web framework without too much overhead.
It also optionally adds configurability and extensibility, thanks to the DependencyInjection component
and a powerful plugin system (bundles).
Read more about the HttpKernel component, Dependency Injection and Bundles.

FrameworkBundle
The FrameworkBundle7 bundle is the bundle that ties the main components and libraries together
to make a lightweight and fast MVC framework. It comes with a sensible default configuration and
conventions to ease the learning curve.

Kernel
The HttpKernel8 class is the central class of Symfony and is responsible for handling client requests. Its
main goal is to "convert" a Request9 object to a Response10 object.
Every Symfony Kernel implements HttpKernelInterface11:
Listing 18-1

1 function handle(Request $request, $type = self::MASTER_REQUEST, $catch = true)

Controllers
To convert a Request to a Response, the Kernel relies on a "Controller". A Controller can be any valid
PHP callable.
The Kernel delegates the selection of what Controller should be executed to an implementation of
ControllerResolverInterface12:
Listing 18-2

1 public function getController(Request $request);
2
3 public function getArguments(Request $request, $controller);

The getController()13 method returns the Controller (a PHP callable) associated with the given
Request. The default implementation (ControllerResolver14) looks for a _controller request attribute
6. http://api.symfony.com/2.3/Symfony/Component/HttpKernel.html
7. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle.html
8. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/HttpKernel.html
9. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Request.html
10. http://api.symfony.com/2.3/Symfony/Component/HttpFoundation/Response.html
11. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/HttpKernelInterface.html
12. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Controller/ControllerResolverInterface.html
13. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Controller/ControllerResolverInterface.html#getController()

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 238

that
represents
the
controller
name
Bundle\BlogBundle\PostController:indexAction).

(a

"class::method"

string,

like

The default implementation uses the RouterListener15 to define the _controller Request
attribute (see kernel.request Event).

The getArguments()16 method returns an array of arguments to pass to the Controller callable. The
default implementation automatically resolves the method arguments, based on the Request attributes.

Matching Controller Method Arguments from Request Attributes
For each method argument, Symfony tries to get the value of a Request attribute with the same
name. If it is not defined, the argument default value is used if defined:
Listing 18-3

1
2
3
4
5
6

// Symfony will look for an 'id' attribute (mandatory)
// and an 'admin' one (optional)
public function showAction($id, $admin = true)
{
// ...
}

Handling Requests
The handle()17 method takes a Request and always returns a Response. To convert the Request,
handle() relies on the Resolver and an ordered chain of Event notifications (see the next section for more
information about each Event):
1. Before doing anything else, the kernel.request event is notified -- if one of the listeners returns
a Response, it jumps to step 8 directly;
2. The Resolver is called to determine the Controller to execute;
3. Listeners of the kernel.controller event can now manipulate the Controller callable the way
they want (change it, wrap it, ...);
4. The Kernel checks that the Controller is actually a valid PHP callable;
5. The Resolver is called to determine the arguments to pass to the Controller;
6. The Kernel calls the Controller;
7. If the Controller does not return a Response, listeners of the kernel.view event can convert the
Controller return value to a Response;
8. Listeners of the kernel.response event can manipulate the Response (content and headers);
9. The Response is returned;
10. Listeners of the kernel.terminate event can perform tasks after the Response has been served.
If an Exception is thrown during processing, the kernel.exception is notified and listeners are given a
chance to convert the Exception to a Response. If that works, the kernel.response event is notified; if
not, the Exception is re-thrown.
If you don't want Exceptions to be caught (for embedded requests for instance), disable the
kernel.exception event by passing false as the third argument to the handle() method.

14. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Controller/ControllerResolver.html
15. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/EventListener/RouterListener.html
16. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Controller/ControllerResolverInterface.html#getArguments()
17. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/HttpKernel.html#handle()

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 239

Internal Requests
At any time during the handling of a request (the 'master' one), a sub-request can be handled. You can
pass the request type to the handle() method (its second argument):
• HttpKernelInterface::MASTER_REQUEST;
• HttpKernelInterface::SUB_REQUEST.
The type is passed to all events and listeners can act accordingly (some processing must only occur on
the master request).

Events
Each event thrown by the Kernel is a subclass of KernelEvent18. This means that each event has access
to the same basic information:
• getRequestType()19
returns
the
type
of
the
request
(HttpKernelInterface::MASTER_REQUEST or HttpKernelInterface::SUB_REQUEST);
• getKernel()20 - returns the Kernel handling the request;
• getRequest()21 - returns the current Request being handled.

getRequestType()
The getRequestType() method allows listeners to know the type of the request. For instance, if a listener
must only be active for master requests, add the following code at the beginning of your listener method:
Listing 18-4

1 use Symfony\Component\HttpKernel\HttpKernelInterface;
2
3 if (HttpKernelInterface::MASTER_REQUEST !== $event->getRequestType()) {
4
// return immediately
5
return;
6 }

If you are not yet familiar with the Symfony EventDispatcher, read the EventDispatcher component
documentation section first.

kernel.request Event
Event Class: GetResponseEvent22
The goal of this event is to either return a Response object immediately or setup variables so that a
Controller can be called after the event. Any listener can return a Response object via the setResponse()
method on the event. In this case, all other listeners won't be called.
This event is used by the FrameworkBundle to populate the _controller Request attribute, via the
RouterListener23. RequestListener uses a RouterInterface24 object to match the Request and
determine the Controller name (stored in the _controller Request attribute).

18. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/KernelEvent.html
19. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/KernelEvent.html#getRequestType()
20. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/KernelEvent.html#getKernel()
21. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/KernelEvent.html#getRequest()
22. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/GetResponseEvent.html
23. http://api.symfony.com/2.3/Symfony/Bundle/FrameworkBundle/EventListener/RouterListener.html
24. http://api.symfony.com/2.3/Symfony/Component/Routing/RouterInterface.html

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 240

Read more on the kernel.request event.

kernel.controller Event
Event Class: FilterControllerEvent25
This event is not used by the FrameworkBundle, but can be an entry point used to modify the controller
that should be executed:
Listing 18-5

1
2
3
4
5
6
7
8
9
10

use Symfony\Component\HttpKernel\Event\FilterControllerEvent;
public function onKernelController(FilterControllerEvent $event)
{
$controller = $event->getController();
// ...

// the controller can be changed to any PHP callable
$event->setController($controller);
}

Read more on the kernel.controller event.

kernel.view Event
Event Class: GetResponseForControllerResultEvent26
This event is not used by the FrameworkBundle, but it can be used to implement a view sub-system. This
event is called only if the Controller does not return a Response object. The purpose of the event is to
allow some other return value to be converted into a Response.
The value returned by the Controller is accessible via the getControllerResult method:
Listing 18-6

1
2
3
4
5
6
7
8
9
10
11
12

use Symfony\Component\HttpKernel\Event\GetResponseForControllerResultEvent;
use Symfony\Component\HttpFoundation\Response;
public function onKernelView(GetResponseForControllerResultEvent $event)
{
$val = $event->getControllerResult();
$response = new Response();

// ... some how customize the Response from the return value
$event->setResponse($response);
}

Read more on the kernel.view event.

kernel.response Event
Event Class: FilterResponseEvent27
The purpose of this event is to allow other systems to modify or replace the Response object after its
creation:
25. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/FilterControllerEvent.html
26. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/GetResponseForControllerResultEvent.html
27. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/FilterResponseEvent.html

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 241

Listing 18-7

1 public function onKernelResponse(FilterResponseEvent $event)
2 {
3
$response = $event->getResponse();
4
5
// ... modify the response object
6 }

The FrameworkBundle registers several listeners:





ProfilerListener28: collects data for the current request;
WebDebugToolbarListener29: injects the Web Debug Toolbar;
ResponseListener30: fixes the Response Content-Type based on the request format;
EsiListener31: adds a Surrogate-Control HTTP header when the Response needs to be
parsed for ESI tags.
Read more on the kernel.response event.

kernel.terminate Event
Event Class: PostResponseEvent32
The purpose of this event is to perform "heavier" tasks after the response was already served to the client.
Read more on the kernel.terminate event.

kernel.exception Event
Event Class: GetResponseForExceptionEvent33
The FrameworkBundle registers an ExceptionListener34 that forwards the Request to a given
Controller (the value of the exception_listener.controller parameter -- must be in the
class::method notation).
A listener on this event can create and set a Response object, create and set a new Exception object, or
do nothing:
Listing 18-8

1
2
3
4
5
6
7
8
9
10
11
12

use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
use Symfony\Component\HttpFoundation\Response;
public function onKernelException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
$response = new Response();
// setup the Response object based on the caught exception
$event->setResponse($response);

// you can alternatively set a new Exception
// $exception = new \Exception('Some special exception');

28. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/EventListener/ProfilerListener.html
29. http://api.symfony.com/2.3/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.html
30. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/EventListener/ResponseListener.html
31. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/EventListener/EsiListener.html
32. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/PostResponseEvent.html
33. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Event/GetResponseForExceptionEvent.html
34. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/EventListener/ExceptionListener.html

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 242

13
14 }

// $event->setException($exception);

As Symfony ensures that the Response status code is set to the most appropriate one depending on
the exception, setting the status on the response won't work. If you want to overwrite the status
code (which you should not without a good reason), set the X-Status-Code header:
Listing 18-9

1 return new Response(
2
'Error',
3
404 // ignored,
4
array('X-Status-Code' => 200)
5 );

Read more on the kernel.exception event.

The EventDispatcher
The EventDispatcher is a standalone component that is responsible for much of the underlying logic
and flow behind a Symfony request. For more information, see the EventDispatcher component
documentation.

Profiler
When enabled, the Symfony profiler collects useful information about each request made to your
application and store them for later analysis. Use the profiler in the development environment to help you
to debug your code and enhance performance; use it in the production environment to explore problems
after the fact.
You rarely have to deal with the profiler directly as Symfony provides visualizer tools like the Web Debug
Toolbar and the Web Profiler. If you use the Symfony Standard Edition, the profiler, the web debug
toolbar, and the web profiler are all already configured with sensible settings.
The profiler collects information for all requests (simple requests, redirects, exceptions, Ajax
requests, ESI requests; and for all HTTP methods and all formats). It means that for a single URL,
you can have several associated profiling data (one per external request/response pair).

Visualizing Profiling Data
Using the Web Debug Toolbar
In the development environment, the web debug toolbar is available at the bottom of all pages. It displays
a good summary of the profiling data that gives you instant access to a lot of useful information when
something does not work as expected.
If the summary provided by the Web Debug Toolbar is not enough, click on the token link (a string made
of 13 random characters) to access the Web Profiler.

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 243

If the token is not clickable, it means that the profiler routes are not registered (see below for
configuration information).

Analyzing Profiling Data with the Web Profiler
The Web Profiler is a visualization tool for profiling data that you can use in development to debug your
code and enhance performance; but it can also be used to explore problems that occur in production. It
exposes all information collected by the profiler in a web interface.

Accessing the Profiling information
You don't need to use the default visualizer to access the profiling information. But how can you retrieve
profiling information for a specific request after the fact? When the profiler stores data about a Request,
it also associates a token with it; this token is available in the X-Debug-Token HTTP header of the
Response:
Listing 18-10

1 $profile = $container->get('profiler')->loadProfileFromResponse($response);
2
3 $profile = $container->get('profiler')->loadProfile($token);

When the profiler is enabled but not the web debug toolbar, or when you want to get the token for
an Ajax request, use a tool like Firebug to get the value of the X-Debug-Token HTTP header.

Use the find()35 method to access tokens based on some criteria:
Listing 18-11

1
2
3
4
5
6
7
8
9
10
11

// get the latest 10 tokens
$tokens = $container->get('profiler')->find('', '', 10, '', '');
// get the latest 10 tokens for all URL containing /admin/
$tokens = $container->get('profiler')->find('', '/admin/', 10, '', '');
// get the latest 10 tokens for local requests
$tokens = $container->get('profiler')->find('127.0.0.1', '', 10, '', '');
// get the latest 10 tokens for requests that happened between 2 and 4 days ago
$tokens = $container->get('profiler')->find('', '', 10, '4 days ago', '2 days ago');

If you want to manipulate profiling data on a different machine than the one where the information were
generated, use the export()36 and import()37 methods:
Listing 18-12

1
2
3
4
5
6

// on the production machine
$profile = $container->get('profiler')->loadProfile($token);
$data = $profiler->export($profile);
// on the development machine
$profiler->import($data);

35. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Profiler/Profiler.html#find()
36. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Profiler/Profiler.html#export()
37. http://api.symfony.com/2.3/Symfony/Component/HttpKernel/Profiler/Profiler.html#import()

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 244

Configuration
The default Symfony configuration comes with sensible settings for the profiler, the web debug toolbar,
and the web profiler. Here is for instance the configuration for the development environment:
Listing 18-13

# load the profiler
framework:
profiler: { only_exceptions: false }

1
2
3
4
5
6
7
8

# enable the web profiler
web_profiler:
toolbar: true
intercept_redirects: true

When only_exceptions is set to true, the profiler only collects data when an exception is thrown by the
application.
When intercept_redirects is set to true, the web profiler intercepts the redirects and gives you the
opportunity to look at the collected data before following the redirect.
If you enable the web profiler, you also need to mount the profiler routes:
Listing 18-14

1 _profiler:
2
resource: "@WebProfilerBundle/Resources/config/routing/profiler.xml"
3
prefix:
/_profiler

As the profiler adds some overhead, you might want to enable it only under certain circumstances in the
production environment. The only_exceptions settings limits profiling to exceptions, but what if you
want to get information when the client IP comes from a specific address, or for a limited portion of the
website? You can use a Profiler Matcher, learn more about that in "How to Use Matchers to Enable the
Profiler Conditionally".

Learn more from the Cookbook





How to Use the Profiler in a Functional Test
How to Create a custom Data Collector
How to Extend a Class without Using Inheritance
How to Customize a Method Behavior without Using Inheritance

PDF brought to you by
generated on October 9, 2014

Chapter 18: Internals | 245

Chapter 19

The Symfony Stable API
The Symfony stable API is a subset of all Symfony published public methods (components and core
bundles) that share the following properties:





The namespace and class name won't change;
The method name won't change;
The method signature (arguments and return value type) won't change;
The semantic of what the method does won't change.

The implementation itself can change though. The only valid case for a change in the stable API is in
order to fix a security issue.
The stable API is based on a whitelist, tagged with @api. Therefore, everything not tagged explicitly is
not part of the stable API.
Read more about the stable API in Our backwards Compatibility Promise.

Any third party bundle should also publish its own stable API.

As of Symfony 2.0, the following components have a public tagged API:











BrowserKit
ClassLoader
Console
CssSelector
DependencyInjection
DomCrawler
EventDispatcher
Filesystem (as of Symfony 2.1)
Finder
HttpFoundation

PDF brought to you by
generated on October 9, 2014

Chapter 19: The Symfony Stable API | 246









HttpKernel
Process
Routing
Templating
Translation
Validator
Yaml

PDF brought to you by
generated on October 9, 2014

Chapter 19: The Symfony Stable API | 247