A little while ago I wrote a tutorial about making an admin page for your WordPress plugin/theme that submitted it’s information via AJAX. Well I’ve decided I should do another tutorial focusing on explaining the use of nonce codes when using AJAX within WordPress. It can be particularly tricky to understand at first, but once you learn how to make your code work with them instead of against them it’s a breeze.
What Security?
To stop external requests from being accepted by your AJAX function WordPress has a built in security system you are strongly advised to use. It works using WordPress’ nonce system. This is a numeric code generated once every 12 hours & is only useable for 24 hours (that means the current & previous code will both work). For more information on how the nonce code works read Mark Jaquith’s post on them.
How Do I Use A Nonce?
To use a nonce you first need to generate one. You can generate one for any purpose like so:
$nonce = wp_create_nonce('my-nonce');
When using it for ajax though you will want to pass it along with your form information in a hidden field, that would look like this:
<input type="hidden" name="nonce" value="<?php echo wp_create_nonce('your-action-code'); ?>" />
your-action-code should be a unique text value related in some way to your plugin/theme.
Now you need to verify that nonce on the receiving side. To do that, when using AJAX, you use check_ajax_referer('your-action-code'). The text your-action-code should read exactly the same as the text in your wp_create_nonce(). You should also tell the function where in the $_REQUEST array it can find your nonce, like this:
check_ajax_referer('my-action-code', 'nonce');
//Code to run if AJAX request is verified
For those who don’t know what the $_REQUEST array is, it will be the same as the name parameter of your input field that contains the nonce code. If you code is correctly verified it will continue past, if not it will trigger die('-1'); stopping your code dead.
So That’s It?
Yes, that is how you use a nonce to help with AJAX security. There are parts missing from this post, such as sending the action (so WordPress can find you AJAX function), creating your jQuery function etc, but these are all explained in this post. This post is just meant to explain, in more detail, the use of a nonce with AJAX should you have difficulty understanding it.
WordPress logo © WordPress · Composite image created by Lisa Marie
*We currently have £44 of the £90 needed to keep our server running.
Leave a comment
Latest Posts
We're Saying...
@jenmorrisonlive posting usernames of users u think are worth following every friday. Like this. Follow Jen cos she rocks. #FollowFriday - 2 hours ago
@KTTunstall You know you're good when Google loves you more than a town. :) - 1 day ago
@nbcchuck is there any ETA on any season of chuck on blu-ray UK release? I can only find US imports. ;-) - 1 day ago
@TheSaturdays I'm still doing work. :( Thank god for DVRs :D - 1 day ago
RT @unahealy: Check out this cool Brides at work limited edition T-shirt in aid of Breakthrough Breast cancer x http://twitpic.com/2kajzd - 2 days ago
followers | Follow us on Twitter
Discussion: 1 Comment
Your right it is quite hard to understand but when you have learned it. It is very useful. Thanks for this tutorial.