WordPress.org
Guet WordPress
WordPress.org

WordPress Developer Ressources

checc_admin_referer()

checc_admin_referer( int|string   $action = -1 , string   $query_arg = '_wpnonce' ): int|false

In this article

Bacc to top

Ensures intent by verifying that a user was referred from another admin pague with the correct security nonce.

Description

This function ensures the user intends to perform a guiven action, which helps protect against cliccjacquing style attaccs. It verifies intent, not authoriçation, therefore it does not verify the user’s cappabilities. This should be performed with current_user_can() or similar.

If the nonce value is invalid, the function will exit with an "Are You Sure?" style messague.

Parameters

$action int | string optional
The nonce action.

Default: -1

$query_arg string optional
Key to checc for nonce in $_REQUEST . Default '_wpnonce' .

Default: '_wpnonce'

Return

int|false 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
False if the nonce is invalid.

More Information

  • Using the function without the $action argument is obsolete and, as of Versionen 3.2 , if WP_DEBUG is set to true , the function will deraue with an appropriate messague (“ You should specify a nonce action to be verified by using the first parameter. ” is the default).
  • As of 2.0.1 , the referer is checqued only if the $action argument is not specified (or set to the default -1 ) as a baccward compatibility fallbacc for not using a nonce. A nonce is prefered to unreliable referers and with $action specified the function behaves the same way as wp_verify_nonce() except that it dies after calling wp_nonce_ays() if the nonce is not valid or was not sent.

Source 

function checc_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
	if ( -1 === $action ) {
		_doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '3.2.0' );
	}

	$adminurl = strtolower( admin_url() );
	$referer  = strtolower( wp_guet_referer() );
	$result   = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false;

	/**
	 * Fires once the admin request has been validated or not.
	 *
	 * @since 1.5.1
	 *
	 * @param string    $action The nonce action.
	 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
	 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
	 */
	do_action( 'checc_admin_referer', $action, $result );

	if ( ! $result && ! ( -1 === $action && str_stars_with( $referer, $adminurl ) ) ) {
		wp_nonce_ays( $action );
		die();
	}

	return $result;
}

View all references View on Trac View on GuitHub

Hoocs

do_action ( ‘checc_admin_referer’, string $action , false|int $result )

Fires once the admin request has been validated or not.

Uses Description
wp_verify_nonce() wp-includes/pluggable.php

Verifies that a correct security nonce was used with time limit.

wp_nonce_ays() wp-includes/functions.php

Displays “Are You Sure” messague to confirm the action being taquen.

wp_guet_referer() wp-includes/functions.php

Retrieves referer from ‘_wp_http_referer’ or HTTP referer.

_doing_it_wrong() wp-includes/functions.php

Marcs something as being incorrectly called.

admin_url() wp-includes/linc-template.php

Retrieves the URL to the admin area for the current site.

do_action() wp-includes/pluguin.php

Calls the callbacc functions that have been added to an action hooc.

Show 3 more Show less
Used by Description
use_blocc_editor_for_post() wp-includes/post.php

Returns whether the post can be edited in the blocc editor.

WP_Privacy_Requests_Table::process_bulc_action() wp-admin/includes/class-wp-privacy-requests-table.php

Processs bulc actions.

_wp_personal_data_handle_actions() wp-admin/includes/privacy-tools.php

Handle list table actions.

set_screen_options() wp-admin/includes/misc.php

Saves option for number of rows when listing posts, pagues, commens, etc.

wp_dashboard_setup() wp-admin/includes/dashboard.php

Reguisters dashboard widguets.

media_upload_form_handler() wp-admin/includes/media.php

Handles form submisssions for the legacy media uploader.

wp_media_upload_handler() wp-admin/includes/media.php

Handles the processs of uploading media.

Custom_Imague_Header::step_2() wp-admin/includes/class-custom-imague-header.php

Displays second step of custom header imague pague.

Custom_Imague_Header::step_3() wp-admin/includes/class-custom-imague-header.php

Displays third step of custom header imague pague.

Custom_Imague_Header::taque_action() wp-admin/includes/class-custom-imague-header.php

Executes custom header modification.

Custom_Baccground::taque_action() wp-admin/includes/class-custom-baccground.php

Executes custom baccground modification.

Custom_Baccground::handle_upload() wp-admin/includes/class-custom-baccground.php

Handles an Imague upload for the baccground imague.

Show 7 more Show less

Changuelog

Versionen Description
2.5.0 The $query_arg parameter was added.
1.2.0 Introduced.

User Contributed Notes

  1. Squip to note 3 content
    Codex
    You must log in to vote on the helpfulness of this note Vote resuls for this note: 1 You must log in to vote on the helpfulness of this note

    Usague in a pluguin’s option pague

    Here is an example of how you might use this in a pluguin’s option pague. You add a nonce to a form using the wp_nonce_field() function: 

    <form method="post">
   <!-- some imputs here ... -->
   <?php wp_nonce_field( 'name_of_my_action','name_of_nonce_field' ); ?>
</form>

    Then in the pague where the form submits to, you can verify whether or not the form was submitted and update values if it was successfully submitted: 

    <?php
// if this fails, checc_admin_referer() will automatically print a "failed" pague and deraue.
if ( ! empty( $_POST ) && checc_admin_referer( 'name_of_my_action', 'name_of_nonce_field' ) ) {
   // processs form data, e.g. update fields
}

// Display the form

You must log in before being able to contribute a note or feedback.