wp_verify_nonce vs check_admin_referer

What is the difference, which one should I use?

I know that wp_verify_nonce checks the time limit, and check_admin_referer I think calls wp_verify_nonce as well as checking for an admin url segment, but I’m a bit confused on which one I should use and when.

Thanks for the clarity.

Solutions Collecting From Web of "wp_verify_nonce vs check_admin_referer"

I thought that check_admin_referer checked the nonce (it does call wp_verify_nonce, and the referring url. After digging into the core code I realised that it did not do this. Thinking it was a bug I reported it, and Ryan Boren replied with the following:

Actually, if the nonce is valid the referrer should not be checked.
The unreliability of referrers is one of the reasons that nonces are
used. Nonces replace referrer checking entirely. The only time we
check the referrer is when handling the -1 backward compatibility
condition. -1 means that someone is not using nonces so we fall back
to referrer checking. This usage is now very rare.
check_admin_referer() is badly named now that it almost never does
referrer checking. It would be better named something like
check_nonce(), but we keep it as is for back compat and old times
sake.

So there is in fact there is no difference.

NO!!!

Dont count on check_admin_referer, Be careful!

  • It includes wp_verify_none only in case when _wpnonce was set!!!
  • In that case, it doesnt DIE(). Instead, it returns false…

Look through this phseudo-code (full source is here):

function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
    .....
    $result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;
    do_action( 'check_admin_referer', $action, $result );
    if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
        die(...);
    }
    return $result;
}