ZNonce library provides WordPress nonce functionality in more object-oriented way. Nonces are used to help protect URLs and forms from certain types of misuse, malicious or otherwise. Please see https://codex.wordpress.org/WordPress_Nonces for details.
The recomended way to install ZNonce is using composer:
composer require zahardoc/z-nonce
After installation ensure you required composer autoload.php file anywhere in your code before using ZNonce:
require_once 'path/to/folder/vendor/autoload.php';
Then you could get ZNonce everywhere in your code using ZNonce::init() function:
$znonce = Zahardoc\ZNonce\ZNonce::init();
Then you can create or verify a nonce.
Note that nonces has lifetime after which they expire. By default it is 24 hours, but you can modify it by set_nonce_life() method. Just call it with number of seconds you want nonce to live. Example: set nonce time to 1 minute:
$znonce->set_nonce_life(60);
Also, you can always check nonce life time by get_nonce_life():
$life = $znonce->get_nonce_life();
When you creating a nonce try to use as more specific action as you can. For example, if you are dealing with post, add post id to your action. There are 3 ways to use creating a nonce functionality:
To add a nonce to a URL, call nonce_url() method specifying the bare URL and a string representing the action:
$action_url = $znonce->nonce_url( $bare_url, 'your_action_'.$post_id );
To add a nonce to a form, use nonce_field():
$znonce->nonce_field( 'your_action_'.$post_id );
It will create 2 hidden fields with nonce and referer values, which you could verify later.
If you need nonce itself to use it in some other way, call create_nonce() method:
$nonce = $znonce->create_nonce( 'your-action_'.$post_id );
If nonce is valid, all verify methods return 1 or 2 depending on how much time ago it has been created. If it is less then half of expire time - method returns 1, otherwise - 2.
To verify a nonce passed from an admin screen, call check_admin_referer() specifying the string representing the action.
$znonce->check_admin_referer( 'your_action' );
This call checks the nonce and the referrer, and if the check fails it terminates script execution with a "403 Forbidden" response and an error message.
To verify a nonce passed from an AJAX request, call check_ajax_referer() method specifying the string representing the action.
$znonce->check_ajax_referer( 'your_action' );
This call checks the nonce (but not the referrer), and if the check fails then it terminates script execution.
If you want just verify a nonce and then do some of your custom actions, use verify_nonce() method:
$result = $znonce->verify_nonce( $_REQUEST['your_nonce'], 'your-action_'.$post_id );
ZNonce is provided with phpunit tests. To run them, please follow these steps:
- Go to the library root directory:
cd /your/vendor/path/zahardoc/z-nonce
- Install environment
tests/install.sh <db-name> <db-user> <db-pass> [db-host] [wp-version]
Note: use database user with privileges to create new database. Don't specify existing database here. - Install library dependencies:
composer update
- Run tests:
vendor/bin/phpunit
This library is released under the MIT license, you can use it free of charge on your personal or commercial sites.