Question

check_admin_referer( int|string $action = -1,  string $query_arg = '_wpnonce' )

Makes sure that a user was referred from another admin page.

---

description

To avoid security exploits.

---

参数

$action

(int|string) (Optional) Action nonce.

Default value: -1

$query_arg

(string) (Optional) Key to check for nonce in $_REQUEST (since 2.5).

Default value: '_wpnonce'

---

返回值

(false|int) False if the nonce is invalid, 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.

---

源代码

File: wp-includes/pluggable.php

function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
	if ( -1 == $action )
		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );

	$adminurl = strtolower(admin_url());
	$referer = strtolower(wp_get_referer());
	$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;

	/**
	 * Fires once the admin request has been validated or not.
	 *
	 * @since 1.5.1
	 *
	 * @param string    $action The nonce action.
	 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
	 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
	 */
	do_action( 'check_admin_referer', $action, $result );

	if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
		wp_nonce_ays( $action );
		die();
	}

	return $result;
}

---

更新日志

Version	description
1.2.0	Introduced.

---

相关函数

Uses

• wp-includes/l10n.php: __()
• wp-includes/pluggable.php: wp_verify_nonce()
• wp-includes/pluggable.php: check_admin_referer
• wp-includes/functions.php: _doing_it_wrong()
• wp-includes/functions.php: wp_nonce_ays()
• wp-includes/functions.php: wp_get_referer()
• wp-includes/link-template.php: admin_url()
• wp-includes/plugin.php: do_action()
Show 3 more uses Hide more uses

---

Used By

• wp-admin/includes/misc.php: set_screen_options()
• wp-admin/includes/dashboard.php: wp_dashboard_setup()
• wp-admin/includes/media.php: media_upload_form_handler()
• wp-admin/includes/media.php: wp_media_upload_handler()
• wp-admin/custom-header.php: Custom_Image_Header::step_2()
• wp-admin/custom-header.php: Custom_Image_Header::step_3()
• wp-admin/custom-header.php: Custom_Image_Header::take_action()
• wp-admin/custom-background.php: Custom_Background::take_action()
• wp-admin/custom-background.php: Custom_Background::handle_upload()
Show 4 more used by Hide more used by

---

User Contributed Notes

1. Skip to note content You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note Contributed by Codex

   Usage in a plugin’s option page

   Here is an example of how you might use this in a plugin’s option page. You add a nonce to a form using the wp_nonce_field() function:

   
   <form method="post">
      <!-- some inputs here ... -->
      <?php wp_nonce_field( 'name_of_my_action','name_of_nonce_field' ); ?>
   </form>
   

   Then in the page where the form submits to, you can verify whether or not the form was submitted and update values if it was successfully submitted:

   
   <?php
   // if this fails, check_admin_referer() will automatically print a "failed" page and die.
   if ( ! empty( $_POST ) && check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' ) ) {
      // process form data, e.g. update fields
   }
   
   // Display the form
   

Note – Obsolete usage

script dies if the admin referer is not validated.

<?php check_admin_referer(); ?>