Using Nonce for my Form

时间:2013-09-08 作者:Tyler Gerig

基本上,我需要使用nonce来验证我的数据,但我不确定我做得是否正确。我要做的是删除非管理员用户的菜单选项。如果选中复选框并提交表单,则无法管理选项的任何人都将删除该菜单项。

编辑:在此处发布了我的代码,而不是要点:

<?php
/*
Plugin Name: Developer Mode Tools 02
Author: Tyler Gerig
Version: 1.1
Description: Add developer mode options to your wordpress installation.
License: GNU General Public License v2 or later
*/

function pretty_dump($dump){
        echo \'<pre>\';
        var_dump($dump);
        echo \'</pre>\';
}

/**
*Add an options page for the plugin.
*
*@since 1.0.
*
*@return void
*/
function check_admin_page(){
        $screen = get_current_screen();
        //pretty_dump($screen->base);
        if($screen->base == \'settings_page_tgdmt_options_page\'){
                if($_POST){
                                $menus_to_remove = array();
                                $tgdmt_menus = $_POST;
                                foreach($tgdmt_menus as $tgdmt_menu){
                                        if($tgdmt_menu != \'Save Changes\'){
                                                $menus_to_remove[] = $tgdmt_menu;
                                        }
                                }
                                update_option( \'tgdmt_menu_settings\', array_map(\'sanitize_text_field\', $menus_to_remove) );
                                //pretty_dump($menus_to_remove);
                }

        }
        if(isset( $_POST[ \'tdgmt_plugin_noncename\']) && wp_verify_nonce( $_POST[\' tdgmt_plugin_noncename\'], plugins_url( __FILE__))){
                echo \'Nonce verified\';
        }else{
                echo \'Nonce not verified\';
        }

}
add_action(\'admin_head\', \'check_admin_page\');

function tgdmt_remove_menus(){
        if(!current_user_can(\'manage_options\')){
                if(get_option(\'tgdmt_menu_settings\')){
                        $tgdmt_remove = get_option(\'tgdmt_menu_settings\');
                        foreach($tgdmt_remove as $remove){
                                remove_menu_page($remove);
                        }
                }
        }
}
add_action(\'admin_menu\', \'tgdmt_remove_menus\', 11);

function tgdmt_add_options_page(){
        //Add new page under the "Settings tab"
        add_options_page(
                __( \'Developer Mode Tools Options\' ),
                __( \'Developer Mode Tools Options\' ),
                \'manage_options\',
                \'tgdmt_options_page\',
                \'tgdmt_render_options_page\'
        );
}

add_action( \'admin_menu\', \'tgdmt_add_options_page\' );


function tgdmt_menu_settings() {
    // Register a binary value called ""
    register_setting(
        \'tgdmt_menu_settings\',
        \'tgdmt_menu_settings\',
        \'\'
    );
}
add_action(\'admin_init\',\'tgdmt_menu_settings\');


function tgdmt_render_options_page(){
        ?>
        <div class="wrap">
                <h2><?php _e( \'Developer Mode Tools Options\'); ?></h2>
                <form action="<?php //plugins_url( \'tgdmt_update_menu.php\' , dirname(__FILE__) )?>" method="post">
                        <p>
                        <?php wp_nonce_field(plugins_url(__FILE__), \'tgdmt_plugin_noncename\'); ?>
                        <?php
                        global $menu;
                                //pretty_dump($menu);
                                $i = 0; 
                                //if( current_user_can(\'manage_options\')){
                                        foreach($menu as $item){

                                                if($item[0] != \'\'){
                                                        $menu_name = trim(str_replace(range(0,9),\'\',$item[0]));
                                                        echo \'<input name="menu\'.$i.\'" type="checkbox" value="\'.$item[2].\'" \' . checked( 1, \'\', false ) . \' />\'. $menu_name . \'<br>\';
                                                        $i++;
                                                        //echo \'<input id="tgdmt_disable\'.$i.\'" name="tgdmt_disable\'.$i.\'" type="checkbox" value="\'.$item[2].\'" \' . checked( 1, $status, false ) . \' />\'.__($menu_name, \'tgdmt\').\'<br>\';
                                                }
                                        }
                                ?>

                                <input type="submit" name="submit" id="submit" class="button button-primary" value="<?php _e( \'Save Changes\', \'tgdmt\' ); ?>">
                        </p>
                </form>
        </div>
        <?php



}

1 个回复
SO网友:Tyler Gerig

我知道我需要做什么。我需要

if(isset( $_POST[ \'tdgmt_plugin_noncename\']) && wp_verify_nonce( $_POST[\'tdgmt_plugin_noncename\'], plugins_url( __FILE__))){
要高于

 if($screen->base == \'settings_page_tgdmt_options_page\'){
以及修正我的打字错误

tdgmt_plugin_noncename
而不是

tgdmt_plugin_noncename

结束
标签: php   plugin-development   forms   nonce   小码农  

相关推荐

使用全局变量对于PHP来说代价高昂

我正在编写一些函数来跨多个模板显示自定义字段。而不是像这样获得每个CF:$var = get_post_meta($post->ID, \'my_cf_key\', true); 然后检查var是否存在,如果存在,则执行一些HTML,然后回显变量,我已经开始了另一种方法。我担心的是,这种新方法可能会变得更加昂贵,并在服务器上加载。。。在这里。。。每个CF都有一个函数a)通过上述代码获取,然后b)回显。在每个get函数中,我调用global$post。然后,在每个实际的模板页面上,我首先检查