Menu
I've read the reference of this function on Wordpress but i still don't understand what this function really does.
I'm reading a tutorial about creating a meta box in wordpress and I have this code inside the function which saves the data:
if ( !wp_verify_nonce( $_POST[$meta_box['name'].'_noncename'], plugin_basename(__FILE__) )) {
return $post_id;
}
Can someone explain briefly what is the meaning of wp_verify_nonce() ?
471
Verifying a Noncecheck_admin_referer() – To verify a nonce that was passed in a URL or a form in an admin screen. check_ajax_referer() – Checks the nonce (but not the referrer), and if the check fails then by default it terminates script execution. wp_verify_nonce() – To verify a nonce passed in some other context.
Nonce is a number or key used once. WordPress uses Nonces to protect URLs and forms from getting misused by malicious hack attempts. For example, on the comment moderation screen when you trash or delete a comment, WordPress adds a nonce key to the URL like this: http://www.example.com/wp-admin/comment.php?
A nonce is a "number used once" to help protect URLs and forms from certain types of misuse, malicious or otherwise. WordPress nonces aren't numbers but are a hash made up of numbers and letters. Nor are they used only once, but have a limited "lifetime" after which they expire.
Nonces are not stored anywhere, they are computed and verified on the fly based on some input data.
The nonce is a 'number used once' - a code that WP uses to make sure that POST data is coming from a safe place. This is useful to make sure that your plugin does not end up digesting data from an unsafe source (see Cross-Site Request Forgery).
This blog post by Mark Jaquith is useful for understanding them.
[nonces] are unique to the WordPress install, to the WordPress user, to the action, to the object of the action, and to the time of the action (24 hour window). That means that if any of these things changes, the nonce is invalid. So if you (somehow) intercept a nonce being used by me, you would, first of all, only have 24 hours to use this key to attempt to trick me.
To create a nonce you must give wp_create_nonce a certain string, providing the 'context' for the nonce. It gives you back a string - the nonce itself. You then include this nonce as part of your POST request. The receiving page should then create a nonce of its own, using the same context, and see if they match up.
In this case, the context given is plugin_basename(__FILE__). This will generate the same string whenever it is called from within the same plugin (see here).
When your wp_verify_nonce recieves a nonce created under the same circumstances as specified by Mark, with the same context string, it returns true.
In short:
!wp_verify_nonce
returns true if wp_verify_nonce returns false.
($_POST[$meta_box['name'].'_noncename'],
First argument to wp_verify_nonce: the nonce to check. This code gets the nonce out of the post request, stored in the $_POST global.
plugin_basename(__FILE__) )
Second argument to wp_verify_nonce: the context for generating the new nonce against which the first will be checked.
{ return $post_id; }
If the nonce doesn't match, stop executing the current function, returning the variable $post_id.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
