⚡ MiltonMarketing.com Powered by Rocket.net – Managed WordPress Hosting
Approx. read time: 27.5 min.
Post: Extending WordPress with Plugins
Creating unique nonces for plugin form security
Nonces are an important part of plugin security for WordPress. They exist to ensure that a hacker or spammer does not forge data being sent by a form. A nonce is a computer science word meaning “a number used once” and is a unique identifier for a request.
To secure your plugin from cross-site request forgery, or more commonly known as CSRF, you need to ensure that you create a unique nonce in your form. You can do this by passing a distinct and unique string to the wp_nonce_field() function from inside your < form > tags. On the other end of the request, you will also verify that this randomly generated number is authentic. With the nonce included, the code for your form would look similar to the code below:
[html] function copyright_notices_admin(){
?>
<div class=”wrap”>
<h2>Copyright Notices Configuration</h2>
On this page, you will configure all the aspects of this
plugins.
<form action=”” method=”post” id=”copyright-notices-conf-form”>
<h3><label for=”copyright_text”>Copyright Text to be inserted
in the footer of your theme:</label></h3>
<input type=”text” name=”copyright_text” id=”copyright_
text” value=” <?php echo esc_attr( get_option(‘copyright_notices_text’) ) ?> “ />
<input type=”submit” name=”submit” value=”Update options »” />
<?php wp_nonce_field(‘copyright_notices_admin_optionsupdate’); ?>
</form>
</div>
<?php
}[/html]
Processing data and interacting with the database
You need to add the form to the database. To do this you first need to verify that the request is authentic by checking the nonce created above using the check_admin_referer() function. After the request is verified, update the database with the plugin API provided by WordPress. The code to do this is shown below:
[html] function save_copyright_notices(){
if( check_admin_referer(‘copyright_notices_admin_options-update’) )
{
if( update_option( ‘copyright_notices_test’, stripslashes( $_
POST[‘copyright_text’] ) ) )
wp_redirect( __FILE__ . ‘?updated=1’ );
}
}
add_action( ‘load-copyright-notices.php’, ‘save_copyright_notices’ );[/html]
In this listing, you have specifically checked the nonce with check_admin_referer(). In the event of a Cross-Site Request Forgery (CSRF) attack, this check would fail and nothing would happen. Because this works in the context of your plugin, the rest of the code in this listing will also work. After the nonce check is verified, you can use the update_option() to change the value. You are simply using the form data and don’t have to worry about doing a lot of data sanitization. WordPress already does the heavy lifting in this area.
One of the many benefits of staying within the framework of the WordPress API is that you can count on data being sanitized while using add_option() and update_option(). Likewise, these functions will serialize non-string data that you might pass to it, and get_option() will un-serialize data automatically. You get out what you put in.
The final portion of the code instructs WordPress to display a friendly “Options Saved” message if the transaction was successful. Congratulations. You have created your first WordPress plugin. With hooks, though, you can do even more with this plugin.
Related Posts
About the Author: Bernard Aybout (Virii8)
