The HttpFoundation component provides an object-oriented abstraction of the HTTP specification. It's one of the most important concepts to understand when learning Symfony, as the framework is built around a request–response model defined by the Request class and Response class.

In Symfony 7.4, we've introduced several important changes related to the Request class.

Deprecated the get() Method

Nicolas Grekas
Contributed by Nicolas Grekas in #61948

The Request class includes a get() method that retrieves a parameter by checking, in order, the route attributes, the GET parameters, and the POST parameters. As soon as it finds a match, it returns the value and stops searching:

1
2
3
4
5
6
7
8
9
10
11
12
13
// ...
use Symfony\Component\HttpFoundation\Request;

class SomeController extends AbstractController
{
    public function someAction(Request $request): Response
    {
        // the value can come from the route, the query string, or POST data
        $value = $request->get('some_key');

        // ...
    }
}

However, Symfony has long recommended accessing these values through the attributes, query or request properties directly. In Symfony 7.4, the Request::get() method is deprecated. Starting in Symfony 8.0, it will no longer be available:

1
2
3
4
5
6
7
8
9
10
11
12
13
public function someAction(Request $request): Response
{
    // use this if the value comes from route placeholders or custom attributes
    $value = $request->attributes->get('some_key');

    // use this for GET query parameters
    $value = $request->query->get('some_key');

    // use this for POST-submitted data
    $value = $request->request->get('some_key');

    // ...
}

Parsing the Body of Other HTTP Methods

Mathieu
Contributed by Mathieu in #61961

With RESTful APIs, it's common to use HTTP methods like PUT or PATCH with multipart/form-data or application/x-www-form-urlencoded payloads. Until now, Symfony only parsed the request body for POST requests due to a PHP limitation.

In PHP 8.4, a new function called request_parse_body() allows parsing the body for any HTTP method using those content types. Therefore, Symfony 7.4 now also parses the body for non-POST requests.

In practice, methods like Request::createFromGlobals(), which builds a Request object from PHP's superglobals, now work for POST, PUT, DELETE, PATCH and QUERY requests.

Deprecation of Certain HTTP Method Overrides

Nicolas Grekas
Contributed by Nicolas Grekas in #61949 and #61979

Because browsers only support GET and POST methods in HTML forms, Symfony provides an HTTP method override feature that lets you simulate other methods like PUT or DELETE.

In Symfony 7.4, and to make applications safer by default, overriding the GET, HEAD, CONNECT and TRACE methods is now deprecated. We've also introduced new methods to configure which HTTP methods can be overridden:

1
2
3
4
Request::setAllowedHttpMethodOverride(['PUT', 'PATCH', 'DELETE']);

// disallow all HTTP method overrides
Request::setAllowedHttpMethodOverride([]);

In a Symfony application, you can configure this globally with a new config option:

1
2
3
# config/packages/framework.yaml
framework:
    allowed_http_method_override: ['PUT', 'DELETE', 'PATCH']
Published in #Living on the edge