Home > CMS Tutorial > WordPress > Detailed explanation of Nonce in WordPress

Detailed explanation of Nonce in WordPress

藏色散人
Release: 2021-03-12 11:40:48
forward
4888 people have browsed it

The following tutorial column of WordPress will introduce you to Nonce in WordPress. I hope it will be helpful to friends in need!

Nonce in WordPress

Nonce is the abbreviation of number used once. The nonce of WordPress is not a number, but a string of Hash composed of numbers and characters. The value can not only be used once, but also has a lifetime. During the lifetime, the same parameter will generate the same nonce value for each user until the end of the lifetime. In this article, we will introduce how to use Nonce to prevent CSRF attacks.

Create a Nonce

Nonce can be placed in the Url request or in the Hidden element of a Form, and then used through Javascript during the Ajax request Get him it. The life cycle of a Nonce is only in the current Session. If you log out and then log in again, the previous nonce will also be invalid.

Add nonce to URL

You can add a Nonce to Url through wp_nonce_url() method:

wp_nonce_url( $actionurl, $action, $name );
// 例如:
$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID );
Copy after login

where $bare_url (required Select) is the URL to which the nonce is to be added, and $action is the action name defined for the nonce, optional, and the default is -1.

By default, the name of the generated nonce in the link is _wpnonce. In order to avoid possible conflicts, after WordPress 3.6 version, wp_nonce_url added an optional $name parameter, which allows users to specify it themselves. The name of the nonce in the link. For example:

$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID, 'my_nonce' );
Copy after login

Add nonce to Form

You can add a hidden element to the form through the wp_nonce_field() method:

PHP

wp_nonce_field( $action, $name, $referer, $echo )
//例如 :
wp_nonce_field( 'delete-comment_'.$comment_id );
wp_nonce_field( $action, $name, $referer, $echo )
//例如 :
wp_nonce_field( 'delete-comment_'.$comment_id );
Copy after login

Call The above method will generate code similar to the following:

<input type="hidden" id="_wpnonce" name="_wpnonce" value="796c7766b1" />
<input type="hidden" name="_wp_http_referer" value="/wp-admin/edit-comments.php" />
Copy after login

Generate a separate nonce

If you just want to generate an independent nonce, you can pass wp_create_nonce() Method:

wp_create_nonce( $action );
// 例如:
$nonce = wp_create_nonce( 'my-action_'.$post->ID );
Copy after login

Similarly, $action is an optional parameter and the default is -1. The above method will return a result similar to "295a686963".

Verify the validity of the nonce

Verify the nonce in the form

In the Admin management interface, you can use the check_admin_referer method to Verify the validity of the Nonce in the Url:

check_admin_referer( $action, $query_arg );
Copy after login

The following is an example demonstrating how to use check_admin_referer to verify the nonce in the plug-in:

<form method="post">
   <!-- some inputs here -->
   <?php wp_nonce_field( &#39;name_of_my_action&#39;, &#39;name_of_nonce_field&#39; ); ?>
</form>
Copy after login

Verification method:

check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' );
Copy after login

Verification Nonce in Ajax

If you want to check the validity of the nonce in the Ajax request, you can use the check_ajax_referer() method:

check_ajax_referer( $action, $query_arg, $die )
Copy after login

$die specifies whether to end script execution if $nonce is invalid . (Default is True)

A simple example of using check_ajax_referer:

<?php
//Set Your Nonce
$ajax_nonce = wp_create_nonce( "my-special-string" );
?>
 
<script type="text/javascript">
jQuery(document).ready(function($){
    var data = {
        action: 'my_action',
        security: '<?php echo $ajax_nonce; ?>',
        my_string: 'Hello World!'
    };
    $.post(ajaxurl, data, function(response) {
        alert("Response: " + response);
    });
});
</script>
Copy after login

Verify backwards through the following code:

add_action( 'wp_ajax_my_action', 'my_action_function' );
function my_action_function() {
    check_ajax_referer( 'my-special-string', 'security' );
    echo sanitize_text_field( $_POST['my_string'] );
    wp_die();
}
Copy after login

Verify the independently generated nonce

1
wp_verify_nonce( $nonce, $action );
Copy after login

The above is the detailed content of Detailed explanation of Nonce in WordPress. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:segmentfault.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template