check_admin_referer

函数
check_admin_referer ( $action = -1, $query_arg = '_wpnonce' )
参数
  • (int|string) $action The nonce action.
    Required:
    Default: -1
  • (string) $query_arg Optional. Key to check for nonce in `$_REQUEST`. Default '_wpnonce'.
    Required:
    Default: '_wpnonce'
返回值
  • (int|false) 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.
定义位置
相关方法
check_ajax_referercheck_password_reset_keycheck_upload_mimes_get_admin_bar_prefwp_admin_bar_render
引入
1.2.0
弃用
-

check_admin_referer: 这个函数用来检查管理员的nonce,以验证一个请求的来源。它需要两个参数:nonce名称和动作。它不返回任何东西,但如果nonce检查失败,会抛出一个错误。

通过验证用户是从另一个具有正确安全核证码的管理页面转来的,以确保其意图。

这个功能确保用户打算执行一个给定的动作,这有助于防止点击劫持式攻击。它验证的是意图,而不是授权,因此它不会验证用户的权限。这应该用`current_user_can()`或类似的方法进行。

如果nonce值无效,该函数将以”你确定吗?”风格的消息退出。

function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
		if ( -1 === $action ) {
			_doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '3.2.0' );
		}

		$adminurl = strtolower( admin_url() );
		$referer  = strtolower( wp_get_referer() );
		$result   = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false;

		/**
		 * Fires once the admin request has been validated or not.
		 *
		 * @since 1.5.1
		 *
		 * @param string    $action The nonce action.
		 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
		 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
		 */
		do_action( 'check_admin_referer', $action, $result );

		if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
			wp_nonce_ays( $action );
			die();
		}

		return $result;
	}
endif;

if ( ! function_exists( 'check_ajax_referer' ) ) :
	/**
	 * Verifies the Ajax request to prevent processing requests external of the blog.
	 *
	 * @since 2.0.3
	 *
	 * @param int|string   $action    Action nonce.
	 * @param false|string $query_arg Optional. Key to check for the nonce in `$_REQUEST` (since 2.5). If false,
	 *                                `$_REQUEST` values will be evaluated for '_ajax_nonce', and '_wpnonce'
	 *                                (in that order). Default false.
	 * @param bool         $die       Optional. Whether to die early when the nonce cannot be verified.
	 *                                Default true.
	 * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago,
	 *                   2 if the nonce is valid and generated between 12-24 hours ago.
	 *                   False if the nonce is invalid.
	 */

常见问题

FAQs
查看更多 >