Question

wp_create_nonce( string|int $action = -1 )

Creates a cryptographic token tied to a specific action, user, user session, and window of time.

---

description

---

参数

$action

(string|int) (Optional) Scalar value to add context to the nonce.

Default value: -1

---

返回值

(string) The token.

---

源代码

File: wp-includes/pluggable.php

function wp_create_nonce($action = -1) {
	$user = wp_get_current_user();
	$uid = (int) $user->ID;
	if ( ! $uid ) {
		/** This filter is documented in wp-includes/pluggable.php */
		$uid = apply_filters( 'nonce_user_logged_out', $uid, $action );
	}

	$token = wp_get_session_token();
	$i = wp_nonce_tick();

	return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 );
}

---

更新日志

Version	description
4.0.0	Session tokens were integrated with nonce creation
2.0.3	Introduced.

---

相关函数

Uses

• wp-includes/user.php: wp_get_session_token()
• wp-includes/pluggable.php: wp_nonce_tick()
• wp-includes/pluggable.php: wp_hash()
• wp-includes/pluggable.php: nonce_user_logged_out
• wp-includes/pluggable.php: wp_get_current_user()
• wp-includes/plugin.php: apply_filters()
Show 1 more use Hide more uses

---

Used By

• wp-includes/script-loader.php: wp_localize_community_events()
• wp-admin/includes/ajax-actions.php: wp_ajax_install_theme()
• wp-admin/includes/ajax-actions.php: wp_ajax_install_plugin()
• wp-includes/class-wp-customize-manager.php: WP_Customize_Manager::get_nonces()
• wp-includes/class-wp-customize-nav-menus.php: WP_Customize_Nav_Menus::filter_nonces()
• wp-includes/rest-api.php: rest_cookie_check_errors()
• wp-admin/includes/class-wp-comments-list-table.php: WP_Comments_List_Table::handle_row_actions()
• wp-admin/includes/class-wp-media-list-table.php: WP_Media_List_Table::column_parent()
• wp-includes/class-wp-customize-widgets.php: WP_Customize_Widgets::refresh_nonces()
• wp-includes/customize/class-wp-customize-background-image-control.php: WP_Customize_Background_Image_Control::enqueue()
• wp-admin/includes/class-wp-screen.php: WP_Screen::show_screen_options()
• wp-admin/includes/image-edit.php: wp_image_editor()
• wp-admin/includes/misc.php: wp_refresh_post_nonces()
• wp-admin/includes/plugin-install.php: install_plugins_favorites_form()
• wp-admin/includes/dashboard.php: _wp_dashboard_recent_comments_row()
• wp-admin/includes/plugin.php: activate_plugin()
• wp-admin/includes/class-wp-plugin-install-list-table.php: WP_Plugin_Install_List_Table::display_rows()
• wp-admin/includes/template.php: compression_test()
• wp-admin/includes/template.php: _list_meta_row()
• wp-admin/includes/media.php: edit_form_image_editor()
• wp-admin/includes/media.php: get_media_item()
• wp-admin/includes/media.php: media_upload_form()
• wp-admin/includes/post.php: _admin_notice_post_locked()
• wp-admin/includes/post.php: post_preview()
• wp-admin/includes/ajax-actions.php: wp_ajax_query_themes()
• wp-admin/includes/ajax-actions.php: wp_ajax_replyto_comment()
• wp-admin/includes/revision.php: wp_prepare_revisions_for_js()
• wp-admin/custom-header.php: Custom_Image_Header::step_1()
• wp-includes/general-template.php: wp_heartbeat_settings()
• wp-includes/functions.php: wp_nonce_url()
• wp-includes/functions.php: wp_nonce_field()
• wp-includes/media.php: wp_plupload_default_settings()
• wp-includes/media.php: wp_prepare_attachment_for_js()
• wp-includes/media.php: wp_enqueue_media()
• wp-includes/ms-functions.php: signup_nonce_check()
• wp-includes/customize/class-wp-customize-header-image-control.php: WP_Customize_Header_Image_Control::enqueue()
• wp-includes/script-loader.php: wp_default_scripts()
Show 32 more used by Hide more used by

---

User Contributed Notes

1. Skip to note content You must log in to vote on the helpfulness of this noteVote results for this note: 1You must log in to vote on the helpfulness of this note Contributed by Codex

   Example
   In this simple example, we create an nonce and use it as one of the GET query parameters in a URL for a link. When the user clicks the link they are directed to a page where a certain action will be performed (for example, a post might be deleted). On the target page the nonce is verified to insure that the request was valid (this user really clicked the link and really wants to perform this action).

   
   /*
    * Step A: Create an nonce for a link.
    * We pass it as a GET parameter.
    * The target page will perform some action based on the 'do_something' parameter.
    */
   $nonce = wp_create_nonce( 'my-nonce' );
   ?>
   <a href='myplugin.php?do_something=some_action&_wpnonce=<?php echo esc_attr( $nonce ); ?>'><?php esc_html_e( 'Do some action', 'textdomain' ); ?></a>
   
   
   /*
    * Step B: This code would go in the target page.
    * We need to verify the nonce.
    */
   $nonce = $_REQUEST['_wpnonce'];
   if ( ! wp_verify_nonce( $nonce, 'my-nonce' ) ) {
   	// This nonce is not valid.
   	die( __( 'Security check', 'textdomain' ) ); 
   } else {
   	// The nonce was valid.
   	// Do stuff here.
   }
   

   In the above example we simply called our nonce my-nonce. It is best to choose a name for the nonce that is specific to the action. For example, if we were to create an nonce that would be part of a request to delete a post, we might call it delete_post. Then to make it more specific, we could append the ID of the particular post that the nonce was for. For example delete_post-5 for the post with ID 5.

   
   wp_create_nonce( 'delete_post-' . $post_id );
   

   Then we would verify the nonce like this:

   
   wp_verify_nonce( $nonce, "delete_post-{$_REQUEST['post_id']}" );
   

   In general, it is best to make the name for the action as specific as possible.