Symfony2 - use of Delete form in CRUD operation

If you used link for delete with id, it's possible to robot can delete you data with looping.

In Symfony action check "DELETE" method as well as if your crsf token verify with method isValid "$form->isValid()"

That's security reason it's create form and validate

Not using a simple link to delete data denotes to the concept of safe methods in HTTP (if you had just a simple link, you would have to send a GET request to the URL):

Some of the methods (for example, HEAD, GET, OPTIONS and TRACE) are, by convention, defined as safe, which means they are intended only for information retrieval and should not change the state of the server. In other words, they should not have side effects [...]

I think it's important to write a word about CSRF.

By using a Symfony form, it creates a CSRF token that ensure the user who deletes the entity is the same user who wanted it.If there was no form and only a link /{id}, it would be possible by using a bad link in a mail, or an XSS attack, to make someone else sending the request to delete an entity.

If Bob uses an XSS breach or something else to make Alice (the admin) sending a request for deleting an entity, the request is sent by Alice, event if it's an attack from Bob. So, Bob hasn't the rights for this request but he used the session of Alice, who has the rights. The entity is deleted.

To protect against CSRF attacks, using a CSRF token is really important. Symfony's Form includes it automatically, and check if in isValid().