Detailed explanation of Nonce in WordPress-WordPress-php.cn

Home

CMS Tutorial

WordPress

Detailed explanation of Nonce in WordPress

藏色散人

Mar 12, 2021 am 11:40 AM

wordpress

The following tutorial column of WordPress will introduce you to Nonce in WordPress. I hope it will be helpful to friends in need!

Nonce in WordPress

Nonce is the abbreviation of number used once. The nonce of WordPress is not a number, but a string of Hash composed of numbers and characters. The value can not only be used once, but also has a lifetime. During the lifetime, the same parameter will generate the same nonce value for each user until the end of the lifetime. In this article, we will introduce how to use Nonce to prevent CSRF attacks.

Create a Nonce

Nonce can be placed in the Url request or in the Hidden element of a Form, and then used through Javascript during the Ajax request Get him it. The life cycle of a Nonce is only in the current Session. If you log out and then log in again, the previous nonce will also be invalid.

Add nonce to URL

You can add a Nonce to Url through wp_nonce_url() method:

wp_nonce_url( $actionurl, $action, $name );
// 例如：
$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID );

where $bare_url (required Select) is the URL to which the nonce is to be added, and $action is the action name defined for the nonce, optional, and the default is -1.

By default, the name of the generated nonce in the link is _wpnonce. In order to avoid possible conflicts, after WordPress 3.6 version, wp_nonce_url added an optional $name parameter, which allows users to specify it themselves. The name of the nonce in the link. For example:

$complete_url = wp_nonce_url( $bare_url, 'trash-post_'.$post->ID, 'my_nonce' );

Add nonce to Form

You can add a hidden element to the form through the wp_nonce_field() method:

PHP

wp_nonce_field( $action, $name, $referer, $echo )
//例如 ：
wp_nonce_field( 'delete-comment_'.$comment_id );
wp_nonce_field( $action, $name, $referer, $echo )
//例如 ：
wp_nonce_field( 'delete-comment_'.$comment_id );

Call The above method will generate code similar to the following:

<input>
<input>

Generate a separate nonce

If you just want to generate an independent nonce, you can pass wp_create_nonce() Method:

wp_create_nonce( $action );
// 例如：
$nonce = wp_create_nonce( 'my-action_'.$post->ID );

Similarly, $action is an optional parameter and the default is -1. The above method will return a result similar to "295a686963".

Verify the validity of the nonce

Verify the nonce in the form

In the Admin management interface, you can use the check_admin_referer method to Verify the validity of the Nonce in the Url:

check_admin_referer( $action, $query_arg );

The following is an example demonstrating how to use check_admin_referer to verify the nonce in the plug-in:

Verification method:

check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' );

Verification Nonce in Ajax

If you want to check the validity of the nonce in the Ajax request, you can use the check_ajax_referer() method:

check_ajax_referer( $action, $query_arg, $die )

$die specifies whether to end script execution if $nonce is invalid . (Default is True)

A simple example of using check_ajax_referer:

<?php //Set Your Nonce
$ajax_nonce = wp_create_nonce( "my-special-string" );
?>
 
<script>
jQuery(document).ready(function($){
    var data = {
        action: &#39;my_action&#39;,
        security: &#39;<?php echo $ajax_nonce; ?>&#39;,
        my_string: &#39;Hello World!&#39;
    };
    $.post(ajaxurl, data, function(response) {
        alert("Response: " + response);
    });
});
</script>

Verify backwards through the following code:

add_action( 'wp_ajax_my_action', 'my_action_function' );
function my_action_function() {
    check_ajax_referer( 'my-special-string', 'security' );
    echo sanitize_text_field( $_POST['my_string'] );
    wp_die();
}

Verify the independently generated nonce

1
wp_verify_nonce( $nonce, $action );

The above is the detailed content of Detailed explanation of Nonce in WordPress. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:segmentfault. If there is any infringement, please contact admin@php.cn delete

How to add a comment box to WordPressApr 20, 2025 pm 12:15 PM

Enable comments on your WordPress website to provide visitors with a platform to participate in discussions and share feedback. To do this, follow these steps: Enable Comments: In the dashboard, navigate to Settings > Discussions, and select the Allow Comments check box. Create a comment form: In the editor, click Add Block and search for the Comments block to add it to the content. Custom Comment Form: Customize comment blocks by setting titles, labels, placeholders, and button text. Save changes: Click Update to save the comment box and add it to the page or article.

How to copy sub-sites from wordpressApr 20, 2025 pm 12:12 PM

How to copy WordPress subsites? Steps: Create a sub-site in the main site. Cloning the sub-site in the main site. Import the clone into the target location. Update the domain name (optional). Separate plugins and themes.

How to write a header of a wordpressApr 20, 2025 pm 12:09 PM

The steps to create a custom header in WordPress are as follows: Edit the theme file "header.php". Add your website name and description. Create a navigation menu. Add a search bar. Save changes and view your custom header.

How to display wordpress commentsApr 20, 2025 pm 12:06 PM

Enable comments in WordPress website: 1. Log in to the admin panel, go to "Settings" - "Discussions", and check "Allow comments"; 2. Select a location to display comments; 3. Customize comments; 4. Manage comments, approve, reject or delete; 5. Use <?php comments_template(); ?> tags to display comments; 6. Enable nested comments; 7. Adjust comment shape; 8. Use plugins and verification codes to prevent spam comments; 9. Encourage users to use Gravatar avatar; 10. Create comments to refer to

How to upload source code for wordpressApr 20, 2025 pm 12:03 PM

You can install the FTP plug-in through WordPress, configure the FTP connection, and then upload the source code using the file manager. The steps include: installing the FTP plug-in, configuring the connection, browsing the upload location, uploading files, and checking that the upload is successful.

How to copy wordpress codeApr 20, 2025 pm 12:00 PM

How to copy WordPress code? Copy from the admin interface: Log in to the WordPress website, navigate to the destination, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code. Copy from a file: Connect to the server using SSH or FTP, navigate to the theme or plug-in file, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code.

What to do if there is an error in wordpressApr 20, 2025 am 11:57 AM

WordPress Error Resolution Guide: 500 Internal Server Error: Disable the plug-in or check the server error log. 404 Page not found: Check permalink and make sure the page link is correct. White Screen of Death: Increase the server PHP memory limit. Database connection error: Check the database server status and WordPress configuration. Other tips: enable debug mode, check error logs, and seek support. Prevent errors: regularly update WordPress, install only necessary plugins, regularly back up your website, and optimize website performance.

How to close comments with wordpressApr 20, 2025 am 11:54 AM

How to turn off a comment in WordPress? Specific article or page: Uncheck Allow comments under Discussion in the editor. Whole website: Uncheck "Allow comments" in "Settings" -> "Discussion". Using plug-ins: Install plug-ins such as Disable Comments to disable comments. Edit the topic file: Remove the comment form by editing the comments.php file. Custom code: Use the add_filter() function to disable comments.

See all articles

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Assassin's Creed Shadows: Seashell Riddle Solution

3 weeks agoByDDD

What's New in Windows 11 KB5054979 & How to Fix Update Issues

2 weeks agoByDDD

Where to find the Crane Control Keycard in Atomfall

3 weeks agoByDDD

Assassin's Creed Shadows - How To Find The Blacksmith And Unlock Weapon And Armour Customisation

1 months agoByDDD

Roblox: Dead Rails - How To Complete Every Challenge

3 weeks agoByDDD

Hot Tools

mPDF

mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.