wp_nonce_field()为输入框获取或显示随机数隐藏字段

目录

描述

译文

为输入框检索或显示随机数隐藏字段。

随机数字段用来验证输入框中、来自当前网站位置而非其他区域的内容。随机数不能提供完全绝对的安全保护,但可以有效阻止大多数不安全情况。

如果将$echo和$referer都设为true,需要检索wp_referer_field()。如果将$referer设为true且回应随机字段,那么它也会回应referer字段。

$action和$name参数都是可选的,但如果希望进一步提高安全措施,强烈推荐设置这两个参数。调用一个没有参数的wp_nonce_field函数虽然方便(验证随机字段不要求参数的参与),但一旦黑客掌握了随机数的规律,很容易就可以找到方法破解随机验证,使网站安全受到威胁。

input名称即用户赋予$name的值。input的值则是随机数值。

原文

Retrieves or displays the nonce hidden form field.

The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else. A nonce does not offer absolute protection, but should protect against most cases. It is very important to use nonce fields in forms.

The $action and $name arguments are optional, but if you want to have a better security, it is strongly suggested to give those two arguments. It is easier to just call the function without any arguments, because the nonce security method does not require them, but since crackers know what the default is, it will not be difficult for them to find a way around your nonce and cause damage.

The nonce field name will be whatever $name value you gave, and the field value will be the value created using the wp_create_nonce() function.

wp_nonce_field() 描述

用法

<?php wp_nonce_field$action$name$referer$echo ?>

wp_nonce_field() 用法

参数

$action

(string) (可选) Action name. Should give the context to what is taking place. Optional but recommended.

默认值: -1

$name

(string) (可选) Nonce name. This is the name of the nonce hidden form field to be created. Once the form is submitted, you can access the generated nonce via $_POST[$name].

默认值: '_wpnonce'

$referer

(boolean) (可选) Whether also the referer hidden form field should be created with the wp_referer_field() function.

默认值: true

$echo

(boolean) (可选) Whether to display or return the nonce hidden form field, and also the referer hidden form field if the $referer argument is set to true.

默认值: true

wp_nonce_field() 参数

返回值

(string

The nonce hidden form field, optionally followed by the referer hidden form field if the $referer argument is set to true.

wp_nonce_field() 返回值

示例

While less secure than the examples that follow, this is the simplest implementation which omits all arguments. In your form add the following:

It's better to name your action and nonce in your form. Enter values for the first and second arguments to print the necessary hidden field:

Then in the page where it is being submitted to, you may verify it using the wp_verify_nonce() function. Notice that you have to manually retrieve the nonce (from the $_POST array in this example), and the name of the action is the 2nd parameter instead of the first:

If you are submitting and processing the form inside the WP administration area, you may verify the nonce using the check_admin_referer() function:

wp_nonce_field() 示例

历史

  • 添加于 版本: 2.0.4

wp_nonce_field() 历史

源文件

wp_nonce_field() 函数的代码位于 wp-includes/functions.php.

wp_nonce_field() 源文件

相关