bbp_verify_nonce_request

Makes sure the user requested an action from another page on this site.

Description

bbp_verify_nonce_request( (string) $action = '', (string) $query_arg = '_wpnonce' ); 

To avoid security exploits within the theme.

Parameters (2)

0. $action — Optional. (string) => ''
Action nonce
1. $query_arg — Optional. (string) => '_wpnonce'
Where to look for nonce in $_REQUEST

Usage

  1. if ( !function_exists( 'bbp_verify_nonce_request' ) ) { 
  2. require_once ABSPATH . PLUGINDIR . 'bbpress/includes/common/functions.php'; 
  3.  
  4. // Action nonce 
  5. $action = ''; 
  6.  
  7. // where to look for nonce in $_REQUEST 
  8. $query_arg = '_wpnonce'; 
  9.  
  10. // NOTICE! Understand what this does before running. 
  11. $result = bbp_verify_nonce_request($action, $query_arg); 
  12.  

Defined (1)

The function is defined in the following location(s).

/includes/common/functions.php  
  1. function bbp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) { 
  2.  
  3. /** Home URL **************************************************************/ 
  4.  
  5. // Parse home_url() into pieces to remove query-strings, strange characters,  
  6. // and other funny things that plugins might to do to it. 
  7. $parsed_home = parse_url( home_url( '/', ( is_ssl() ? 'https' : 'http' ) ) ); 
  8.  
  9. // Maybe include the port, if it's included 
  10. if ( isset( $parsed_home['port'] ) ) { 
  11. $parsed_host = $parsed_home['host'] . ':' . $parsed_home['port']; 
  12. } else { 
  13. $parsed_host = $parsed_home['host']; 
  14.  
  15. // Set the home URL for use in comparisons 
  16. $home_url = trim( strtolower( $parsed_home['scheme'] . '://' . $parsed_host . $parsed_home['path'] ), '/' ); 
  17.  
  18. /** Requested URL *********************************************************/ 
  19.  
  20. // Maybe include the port, if it's included in home_url() 
  21. if ( isset( $parsed_home['port'] ) ) { 
  22. $request_host = $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT']; 
  23. } else { 
  24. $request_host = $_SERVER['HTTP_HOST']; 
  25.  
  26. // Build the currently requested URL 
  27. $scheme = is_ssl() ? 'https://' : 'http://'; 
  28. $requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] ); 
  29.  
  30. /** Look for match ********************************************************/ 
  31.  
  32. // Filter the requested URL, for configurations like reverse proxying 
  33. $matched_url = apply_filters( 'bbp_verify_nonce_request_url', $requested_url ); 
  34.  
  35. // Check the nonce 
  36. $result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false; 
  37.  
  38. // Nonce check failed 
  39. if ( empty( $result ) || empty( $action ) || ( strpos( $matched_url, $home_url ) !== 0 ) ) { 
  40. $result = false; 
  41.  
  42. // Do extra things 
  43. do_action( 'bbp_verify_nonce_request', $action, $result ); 
  44.  
  45. return $result;