wp_nonce_field()
概述
wp_nonce_field() 函数用于生成或输出表单的 nonce 隐藏字段,以验证表单来源并增强安全性。它支持自定义操作名、nonce 名称等参数,并可选择是否包含 referer 字段。
关键要点
- nonce 字段用于验证表单是否来自当前站点,提供基本安全防护,但非绝对安全。
- 参数 $action 和 $name 可选,但建议设置以提高安全性,避免使用默认值。
- 函数返回 nonce 字段的 HTML 标记,可通过 $display 参数控制直接输出或返回字符串。
- 相关函数包括 wp_referer_field()、esc_attr() 和 wp_create_nonce(),用于辅助验证和转义。
代码示例
// 基本用法,输出默认 nonce 字段
wp_nonce_field();
// 自定义操作名和 nonce 名称
wp_nonce_field( 'my_action', 'my_nonce_field' );
// 验证 nonce 的示例
if ( ! isset( $_POST['my_nonce_field'] )
|| ! wp_verify_nonce( $_POST['my_nonce_field'], 'my_action' )
) {
die( 'Security check failed' );
}注意事项
- 虽然 nonce 验证可不带参数,但建议始终设置 $action 和 $name 以增强安全性。
- nonce 字段应包含在表单中,并在提交时使用 wp_verify_nonce() 进行验证。
- 注意转义用户输入,避免安全漏洞,例如使用 esc_attr() 处理 $name 参数。
Retrieves or display nonce hidden field for forms.
Description
The nonce field is used to validate that the contents of the form came from the location on the current site and not somewhere else. The nonce does not offer absolute protection, but should protect against most cases. It is very important to use nonce field in forms.
The $action and $name are optional, but if you want to have better security, it is strongly suggested to set those two parameters. It is easier to just call the function without any parameters, because validation of the nonce doesn’t require any parameters, but since crackers know what the default is it won’t be difficult for them to find a way around your nonce and cause damage.
The input name will be whatever $name value you gave. The input value will be the nonce creation value.
Parameters
$actionint|stringoptional-
Action name.
Default:
-1 $namestringoptional-
Nonce name. Default
'_wpnonce'. $refererbooloptional-
Whether to set the referer field for validation.
Default:
true $displaybooloptional-
Whether to display or return hidden form field.
Default:
true
Source
function wp_nonce_field( $action = -1, $name = '_wpnonce', $referer = true, $display = true ) {
$name = esc_attr( $name );
$nonce_field = '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';
if ( $referer ) {
$nonce_field .= wp_referer_field( false );
}
if ( $display ) {
echo $nonce_field;
}
return $nonce_field;
}
Changelog
| Version | Description |
|---|---|
| 2.0.4 | Introduced. |
Skip to note 3 content
Codex
Basic Examples
While less secure than the examples that follow, this is the simplest implementation which omits all arguments. In your form add the following:
It’s better to name your action and nonce in your form. Enter values for the first and second arguments to print the necessary hidden field:
<form method="post"> <!-- some inputs here ... --> </form>Then in the page where it is being submitted to, you may verify it using the wp_verify_nonce() function. Notice that you have to manually retrieve the nonce (from the $_POST array in this example), and the name of the action is the 2nd parameter instead of the first:
if ( ! isset( $_POST['name_of_nonce_field'] ) || ! wp_verify_nonce( $_POST['name_of_nonce_field'], 'name_of_my_action' ) ) { print 'Sorry, your nonce did not verify.'; exit; } else { // process form data }Skip to note 4 content
Sarathlal N
We can create a nonce field without a name because it is optional. In that case, the name will be
_wpnonce.wp_nonce_field( 'my-action-name' );The above statement echo a hidden field named as
_wpnonce.To verify this nonce, we can use the `wp_verify_nonce` function.
if ( isset( $_REQUEST['_wpnonce'] ) && wp_verify_nonce( $_REQUEST['_wpnonce'], 'my-action-name' ) ) { //do you action } else { die( __( 'Security check', 'textdomain' ) ); }