For JSON APIs, I use DTOs with MapRequestPayload — cleaner than forms, automatic validation, typed properties. For HTML forms, I still use the form system because it handles rendering, CSRF, and data transformation.
MapRequestPayload (Symfony 6.3+) maps JSON request bodies directly to typed DTOs using the Serializer and Validator. MapQueryString does the same for query parameters. This replaces manual request get calls and provides automatic validation and type safety. DTOs are plain PHP objects with typed properties and validation attributes. Compared to forms: DTOs with MapRequestPayload are simpler for API endpoints, while forms are better for HTML form rendering with CSRF protection. Strong candidates discuss: using validation groups on DTOs, handling nested objects, custom denormalization for complex types, and when forms are still the better choice (HTML rendering, data transformers, CSRF).
Tests awareness of modern Symfony. Candidates who manually deserialise JSON in every controller action are doing unnecessary work. Those who understand the DTO versus form trade-off choose the right tool for API versus HTML contexts.