Forms & CSRF

A Blade form

Forms post to a route. Laravel requires a @csrf token (security against forged requests) — just add the directive.

<form action="/products" method="POST">
  @csrf
  <input type="text" name="name">
  <input type="number" name="price">
  <button type="submit">Add</button>
</form>

Reading the form: action="/products" is the URL the data is sent to, and method="POST" means we are sending (creating) data, not just viewing. @csrf drops in a hidden security token (more on that below). Each <input> has a name — name and price — and those names are exactly how the controller will look the values up. The submit button sends everything.

When the form is submitted, the matching route runs this controller method, which reads the values out of the request:

// in the controller
public function store(Request $request)
{
    $name = $request->input('name');
    $price = $request->input('price');
    // ... save it ...
    return redirect('/products');
}

The $request object holds everything the user submitted. $request->input('name') pulls out the value of the input whose name="name", and likewise for price. After saving, return redirect('/products') sends the browser to the products list — the standard "save, then redirect" pattern that stops a refresh from submitting the form twice.

Here is the whole journey of a Laravel form, start to finish:

1. The user fills in the Blade form and clicks submit.
2. The browser sends a POST request to the form’s action URL (/products), including the hidden @csrf token.
3. Laravel checks the CSRF token to confirm the request really came from your site.
4. The matching route sends the request to the controller’s store method.
5. Inside store, $request->input('name') reads each submitted field by its name.
6. The controller saves the data, then redirect() sends the user to another page.