Nonce help

  • Hello

    I’m having some problems with nonces and I can’t find a solid answer. If you can help with any of the below questions I would appreciate it.

    1. I have a custom post with an added meta box. This meta box has some standard fields. The fields are just input fields BUT ARE NOT IN FORM TAGS. Should I use wp_create_nonce( ) – – OR – – wp_nonce_field( )? Does it really matter?

    2. My theme consists of 5 custom posts. In one of them I have a meta box with a nonce field. The nonce is created and used to verify upon saving that post. Works fine. My problem is when I go to update one of the other custom posts it doesn’t work due to that nonce field failing from the other post type? If anyone could explain why I’d be greatful.

    3. Do I really need to add a nonce field in each metabox for each custom post if it’s just a clients child theme and not a plugin?
    Thanks

Viewing 1 replies (of 1 total)

  • Hello. I am also facing a matter of the meaning of nonce token for metaboxes(See this topic I posted), so I want to think for your questions.

    Ans. for Q1:

    You told the meta box includes some fields and they are not in form tags, but the meta box you added seems to be INSIDE OF THE FORM TAG which holds standard WP’s post fields as long as you’ve added your meta box via the function “add_meta_box”.
    And so, the form element has a hidden input field having a value of “_wpnonce” (this is automatically created by built-in functionality ) .The nonce token is to be used a verification for protecting CSRF via WP’s function “check_admin_referer”. The defference between wp_create_nonce() and wp_nonce_field() is only returning a value of nonce or html input element having a value of nonce, so this is not a matter, because I think that the nonce token(= which I’ve already explained, named “_wpnonce”) for CSRF protection is already provided by built-in WP.

    Ans. for Q2:
    Do you check wheather the post type of POSTed post is eaqual to the your expecting post type at a your handler function hooked into “save_post” action? Or Do you use an appropriate “action_name” for a parameter of “wp_verify_nonce($nonce, $action_name)” ?

    Ans. for Q3:
    If your custom metaboxes is NOT expected to be handled via ajax call, You may not to have to add a nonce field to each meta box, because I explained at Ans. for Q1.

    My English skill is a little poor… Please forgive ??

Viewing 1 replies (of 1 total)
  • The topic ‘Nonce help’ is closed to new replies.