Articles of nonce

ajax and nonce when JavaScript is in a seperate file

I’m a little confused about how nonces work with ajax requests. It looks like I’m supposed to use this: https://codex.wordpress.org/Function_Reference/check_ajax_referer The request looks like this: <?php //Set Your Nonce $ajax_nonce = wp_create_nonce( “my-special-string” ); ?> <script type=”text/javascript”> jQuery(document).ready(function($){ var data = { action: ‘my_action’, security: ‘<?php echo $ajax_nonce; ?>’, my_string: ‘Hello World!’ }; $.post(ajaxurl, data, […]

Should nonce be sanitized?

The general guideline is that we should sanitize all user input before using them. Now my questions is whether this applies to nonce or not. Which one is correct? wp_verify_nonce( sanitize_text_field( $_GET[‘some_nonce’] ), ‘some_nonce’ ); or wp_verify_nonce( _GET[‘some_nonce’], ‘some_nonce’ );

Ajax function returns -1

I have a question. I made a simply ajax function. When I’m logged in, it works perfectly. When I’m logged out, it returns me -1 (since WordPress 3.1) Why ? I don’t understand. Precisely, it returns -1 and my entire HTML code. (lol) I’m gonna be crazy again. PHP (in functions.php) function say_coucou(){ check_ajax_referer( ‘hello’, […]

wp_verify_nonce not working

I’m working on an ajax request, I have several ajax requests on my functions.php. And all are working, but this: On my php I have this: add_action(“wp_ajax_fb_points”, “get_fb_points”); add_action(“wp_ajax_nopriv_fb_points”, “get_fb_points”); function get_fb_points(){ if ( !wp_verify_nonce($_REQUEST[‘nonce’], ‘fb_points_nonce’)) { exit(‘No naughty business’); } echo ‘yeah’; die(); } On the footer.php I have this: FB.Event.subscribe(‘edge.create’, function(response) { if(response […]

How to check an ajax nonce in PHP

I’m modifying the media modal adding a new menu item to add external attachments to the media library. From the JS code I’m calling a PHP function that touches the database and accepts three parameters (url, post id and nonce). My question is, how can I check the nonce from the PHP code? Another question, […]

AJAX nonce with check_ajax_referer()

I want to use check_ajax_referer() to verify a WP_nonce field using AJAX. Here you can find my html element. <input type=”hidden” name=”login_nonce” value=”<?= wp_create_nonce(‘login_nonce’); ?>”/> Using jQuery I’m sending all the values from input fields to a POST request: request = $.ajax({ type: ‘POST’, url: ‘handle-login.php’, data: { user: $(‘input[name=”login_username”]’).val(), pass: $(‘input[name=”login_password”]’).val(), security: $(‘input[name=”login_nonce”]’).val() }, […]

how to get nonce using json api

I try to open this url in my browser or calling from my frontend application: http://78.47.177.214/blog/api/get_nonce/?controller=posts&method=create_post i keep getting the response {“status”:”error”,”error”:”Include ‘controller’ and ‘method’ vars in your request.”} what is wrong, I want to be able to create a custom post type with custom fields in the end but using json api I need […]

How do I check if AJAX nonces are implemented correctly?

I have a simple “favorite post” button that works with AJAX. I understand that using a WordPress nonce improves security, but am not quite sure why or how it does this. This also makes me unable to check if I’ve implemented the nonce correctly and securely. jQuery Script function favorites_javascript() { $ajax_nonce = wp_create_nonce( “ajax-nonce-favorites” […]

Security checking in meta_box save is reluctant?

For example, in this tutorial, the code suggested when saving meta box data is /* Verify the nonce before proceeding. */ if ( !isset( $_POST[‘smashing_post_class_nonce’] ) || !wp_verify_nonce( $_POST[‘smashing_post_class_nonce’], basename( __FILE__ ) ) ) return $post_id; /* Get the post type object. */ $post_type = get_post_type_object( $post->post_type ); /* Check if the current user has […]

How can I trash multiple posts at once from the front end?

I took a peek at the code in edit.php and am now generating links with this code: wp_nonce_url(“/wp-admin/edit.php?doaction=trash&amp;post_type=post&amp;ids=postIds”, “bulk-posts”) The string “postIds” in the URL gets replaced by comma-separated post IDs via javascript. All this does thus far is redirect me to the edit screen in the backend. How do I need to generate this […]