WordPress at a glance

wp_verify_nonce() WP 2.0.3

Verify nonce token.

The token is created by one of the functions:

This is a pluggable function, and it can be replaced by a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. It must be called on plugins_loaded hook or later, for example on init hook.

Function replacement (override) — in a plugin you can create a function with the same name, then it replace this function.

Is the basis for: check_ajax_referer()
Hooks in function
Return

false/Int. False if the nonce is invalid, 1 if the nonce is valid and generated between
0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.

Usage

wp_verify_nonce( $nonce, $action );
$nonce(string) (required)
Nonce that was used in the form to verify. It is usually passed in a request: $_POST ['_wpnonce'].
$action(string/int)

The key which was used for the token creation.
Default: -1

It's an optinal argument that may be passed to the function (e.g. [wp_create_nonce('action_key')]). If the value was not specified when creating the key, then it should be omitted here too - the verification will be passed successfully.

Examples

#1. Data verification for $_GET request

<?php $nonce= wp_create_nonce('my-nonce'); ?>

<a href='myplugin.php?_wpnonce=<?php echo $nonce ?>&data=какие-то данные'> ...

<?php
// verify the request
if( wp_verify_nonce( $_GET['_wpnonce'], 'my-nonce') ){
	// handle the data here
}
else
	die('Forbidden!'); 
?>

Code of wp verify nonce: wp-includes/pluggable.php VER 5.0.3

<?php
function wp_verify_nonce( $nonce, $action = -1 ) {
	$nonce = (string) $nonce;
	$user = wp_get_current_user();
	$uid = (int) $user->ID;
	if ( ! $uid ) {
		/**
		 * Filters whether the user who generated the nonce is logged out.
		 *
		 * @since 3.5.0
		 *
		 * @param int    $uid    ID of the nonce-owning user.
		 * @param string $action The nonce action.
		 */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
	}

	if ( empty( $nonce ) ) {
		return false;
	}

	$token = wp_get_session_token();
	$i = wp_nonce_tick();

	// Nonce generated 0-12 hours ago
	$expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 1;
	}

	// Nonce generated 12-24 hours ago
	$expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
	if ( hash_equals( $expected, $nonce ) ) {
		return 2;
	}

	/**
	 * Fires when nonce verification fails.
	 *
	 * @since 4.4.0
	 *
	 * @param string     $nonce  The invalid nonce.
	 * @param string|int $action The nonce action.
	 * @param WP_User    $user   The current user object.
	 * @param string     $token  The user's session token.
	 */
	do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token );

	// Invalid nonce
	return false;
}

Related Functions

From tag: nonce (security protection defence)

More from tag: Site security (safety)

vladlu 100
Editors: kama 100
No comments
    Hello, !     Log In . Register