WP_Verify_Nonce()通过REST总是返回FALSE

时间:2017-04-09 作者:Dongsan

我正在尝试创建和验证nonce,我的方法与中描述的几乎相同wp_create_nonce.

我相信这与REST api有关,但不确定在哪里进行调查?

如何创建nonce:

(我有一个REST函数,它返回绘制HTML的代码,从而正确绘制HTML,其中wp\\u create\\u nonce()的结果值正确填充)

/***
 * Display customers/vendors in table format
 ***/

if( !function_exists( \'fnc_view_customer_vendor_in_table_format\' ) ) {
    /**
     * @param WP_REST_Request $request
     * @return mixed|string|void
     */
    function fnc_view_customer_vendor_in_table_format(WP_REST_Request $request ) {

        $_search_name = $request[\'_search_name\'];
        $_posttype = $request[\'_posttype\'];

        if( $_posttype == null ) {
            $result = array( \'msg\' => \'ERROR: Please try again\', \'error\' => true );
            return json_encode( $result );
        }

        $data = \'<table class="table widefat table-striped">\';
        $data .= \'<thead>\';
        $data .= \'<tr>\';
        $data .= \'<th class="col-name">Name</th>\';
        $data .= \'<th class="col-phone">Phone</th>\';
        $data .= \'<th class="col-email">Fax</th>\';
        $data .= \'<th class="col-email">Email</th>\';
        $data .= \'<th class="col-website">Website</th>\';
        $data .= \'<th class="col-action">Actions</th>\';
        $data .= \'</tr>\';
        $data .= \'</thead>\';
        $data .= \'<tbody>\';

        $args = array(
            \'post_type\' => $_posttype,
            \'post_status\' => \'publish\',
            \'posts_per_page\' => -1
        );

        if( $_search_name ) {
            $search_args = array(
                \'s\' => $_search_name
            );
            $args = wp_parse_args( $args, $search_args );
        }

        $posts = get_posts( $args );

        $del_page = get_permalink( fnc_get_id_by_slug_and_posttype( \'delete-instance\', \'page\' ) );

        foreach( $posts as $post ) :

            $post_type = get_post_type( $post->ID );

            $data .= \'<tr>\';

            $data .= \'<th class="col-name">\';
            $data .= get_the_title( $post->ID );
            $data .= \'</th>\';

            $data .=\'<th class="col-phone">\';
            $data .= get_post_meta( $post->ID, \'_phone\', true );
            $data .= \'</th>\';

            $data .= \'<th class="col-fax">\';
            $data .= get_post_meta( $post->ID, \'_fax\', true );
            $data .= \'</th>\';

            $data .= \'<th class="col-email">\';
            $data .= get_post_meta( $post->ID, \'_email\', true );
            $data .= \'</th>\';

            $data .= \'<th class="col-website">\';
            $data .= \'<a href="\'.get_post_meta( $post->ID, \'_website\', true ).\'" target = "_new">\';
            $data .= get_post_meta( $post->ID, \'_website\', true );
            $data .= \'</a>\';
            $data .= \'</th>\';

            $data .=\'<th class="col-action">\';
            $data .=\'<div class="col-action-btn">\';
            $data .=\'<div class="col-action-edit">\';
            $data .=\'<form action="\' . get_permalink( $post->ID ) . \'" id="form-edit" name="form-edit" method="post">\';
            $data .=\'<!-- Noncename needed to verify where the data originated -->\';
            $data .= \'<input type="hidden" id="_wpnonce" name="_wpnonce" value="\'. wp_create_nonce( \'edit_post-\'. $post->ID ) .\'" />\';
            $data .= \'<input type="hidden" name="_wp_http_referer" value="/test/lists/view-vendors" />\';
            $data .= \'<input type="hidden" id="post_id" name="post_id" value="\'. $post->ID .\'" />\';
            $data .=\'<input type="hidden" name="mode" value="edit">\';
            $data .=\'<input type="submit" class="btn btn-small" value="Edit">\';
            $data .=\'</form>\';
            $data .=\'</div>\';
            /*
            $data .=\'<div class="col-action-delete">\';
            $data .= \'<form action="\' . $del_page . \'" id="form-delete" name="form-delete" method="post"  />\';
            $data .= \'<!-- Noncename needed to verify where the data originated -->\';
            $data .= \'<input type="hidden" id="_wpnonce" name="_wpnonce" value="\'. wp_create_nonce() .\'" />\';
            $data .=\'<input type="hidden" name="mode" value="delete" />\';
            $data .=\'<input type="hidden" name="del_post_id" value=" \' .$post->ID . \'" />\';
            $data .=\'<input type="hidden" name="del_post_type" value=" \' .$post_type . \'" />\';
            $data .=\'<input type="submit" class="btn btn-small" value="Delete" />\';
            $data .=\'</form>\';
            */
            $data .= \'</th>\';

            $data .= \'</tr>\';

        endforeach;

        $data .= \'</tbody>\';
        $data .= \'</table>\';

        $result = array( \'msg\' => $data, \'error\' => false );

        return json_encode( $result );

    }
}
如何验证nonce:

  // Nonce from other pages
  $nonce = $_REQUEST[\'_wpnonce\'];
  $post_id = $_REQUEST[\'post_id\'];

  print_r( $_POST );
  // prints Array ( [_wpnonce] => 47f80a1859 [_wp_http_referer] => /test/lists/view-vendors [post_id] => 19793 [mode] => edit )
  echo \'<br/>\';
  echo \'<br/>\';

  var_dump( wp_verify_nonce( $nonce, \'edit_post-\'. $post_id ) );
  // prints bool(false)
  echo \'<br/>\';
  echo \'<br/>\';

    if ( !wp_verify_nonce( $nonce, \'edit_post-\'. $post_id ) ) {

        print $GLOBALS[\'doumi\'][\'nonce_fail_msg\'];
        echo \'</main></div>\';
        get_footer();
        die();

    }

1 个回复
SO网友:Spartacus

在表单标记的第3行中,将两个参数传递给wp_create_nonce 当它只接受一个时。这是一个简单的打字错误。您将希望像这样连接字符串:

wp_create_nonce( \'edit_post-\'. $post->ID ) //dot instead of comma
编辑:我建议您为nonce字段指定一个比_wpnonce, 因为这是nonce字段的通用(默认)Wordpress名称,这意味着您可能与其他核心nonce或插件nonce发生冲突。也许可以试试这样的方法:

// change the NONCE name to something unique
$data .= \'<input type="hidden" id="wpse263026_nonce" name="wpse263026_nonce" value="\'. wp_create_nonce( \'edit_post-\'. $post->ID ) .\'" />\';

标签: nonce   小码农  

相关推荐

Using nonce in menu item

我在主标题菜单中有一个注销链接,当你点击链接注销时,你会被重定向到页面,询问你是否真的想注销。我知道它这样做是因为菜单URL中没有nonce。我的问题是:是否可以在编辑菜单屏幕的CMS外观>菜单中添加nonce?url类似于:example.com/wp-login.php?action=logout&redirect_to=http://example.com/myaccount/&_wpnonce=只是为了好玩我试着加上wp_create_nonce(\'logout\') 到最