wordpress函数check_admin_referer()用法示例

check_admin_referer( int|string $action = -1,  string $query_arg = '_wpnonce' )

Makes sure that a user was referred from another admin page.

描述

To avoid security exploits.

参数

$action

(int|string)
(Optional)
Action nonce.

Default value: -1

$query_arg

(string)
(Optional)
Key to check for nonce in $_REQUEST (since 2.5).

Default value: ‘_wpnonce’

返回值

(false|int) False if the nonce is invalid, 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.

源代码

File: wp-includes/pluggable.php

function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
	if ( -1 == $action )
		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );

	$adminurl = strtolower(admin_url());
	$referer = strtolower(wp_get_referer());
	$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;

	/**
	 * Fires once the admin request has been validated or not.
	 *
	 * @since 1.5.1
	 *
	 * @param string    $action The nonce action.
	 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
	 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
	 */
	do_action( 'check_admin_referer', $action, $result );

	if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
		wp_nonce_ays( $action );
		die();
	}

	return $result;
}

更新日志

相关函数

Uses

• wp-includes/l10n.php:
  __()
• wp-includes/pluggable.php:
  wp_verify_nonce()
• wp-includes/pluggable.php:
  check_admin_referer
• wp-includes/functions.php:
  _doing_it_wrong()
• wp-includes/functions.php:
  wp_nonce_ays()
• wp-includes/functions.php:
  wp_get_referer()
• wp-includes/link-template.php:
  admin_url()
• wp-includes/plugin.php:
  do_action()

Show 3 more uses
Hide more uses

Used By

• wp-admin/includes/misc.php:
  set_screen_options()
• wp-admin/includes/dashboard.php:
  wp_dashboard_setup()
• wp-admin/includes/media.php:
  media_upload_form_handler()
• wp-admin/includes/media.php:
  wp_media_upload_handler()
• wp-admin/custom-header.php:
  Custom_Image_Header::step_2()
• wp-admin/custom-header.php:
  Custom_Image_Header::step_3()
• wp-admin/custom-header.php:
  Custom_Image_Header::take_action()
• wp-admin/custom-background.php:
  Custom_Background::take_action()
• wp-admin/custom-background.php:
  Custom_Background::handle_upload()

Show 4 more used by
Hide more used by

User Contributed Notes

1. Skip to note content

   You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note

   Contributed by Codex

   Usage in a plugin’s option page

   Here is an example of how you might use this in a plugin’s option page. You add a nonce to a form using the wp_nonce_field() function:

   
   <form method="post">
      <!-- some inputs here ... -->
      <?php wp_nonce_field( 'name_of_my_action','name_of_nonce_field' ); ?>
   </form>
   

   Then in the page where the form submits to, you can verify whether or not the form was submitted and update values if it was successfully submitted:

   
   <?php
   // if this fails, check_admin_referer() will automatically print a "failed" page and die.
   if ( ! empty( $_POST ) && check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' ) ) {
      // process form data, e.g. update fields
   }
   
   // Display the form
   

Note – Obsolete usage

script dies if the admin referer is not validated.

<?php check_admin_referer(); ?>