wp_verify_nonce()
Verify nonce token.
The token is created by one of the functions:
Pluggable function — this function can be replaced from a plugin. It means that this function is defined (works) only after all plugins are loaded (included), but before this moment this function has not defined. Therefore, you cannot call this and all functions depended on this function directly from a plugin code. They need to be called on plugins_loaded hook or later, for example on init hook.
Function replacement (override) — in must-use or regular plugin you can create a function with the same name, then it will replace this function.
Hooks from the function
Return
Int|false
. 1 if the nonce is valid and generated between 0-12 hours ago,
2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.
Usage
wp_verify_nonce( $nonce, $action );
- $nonce(string) (required)
- Nonce that was used in the form to verify. It is usually passed in a request: $_POST ['_wpnonce'].
- $action(string/int)
The key which was used for the token creation.
Default: -1It's an optinal argument that may be passed to the function (e.g. [wp_create_nonce('action_key')]). If the value was not specified when creating the key, then it should be omitted here too - the verification will be passed successfully.
Examples
#1 Data verification for $_GET request
<?php $nonce= wp_create_nonce('my-nonce'); ?> <a href='myplugin.php?_wpnonce=<?php echo $nonce ?>&data=какие-то данные'> ... <?php // verify the request if( wp_verify_nonce( $_GET['_wpnonce'], 'my-nonce') ){ // handle the data here } else die('Forbidden!'); ?>
Changelog
Since 2.0.3 | Introduced. |