bp_verify_nonce_request( string $action = '', string $query_arg = '_wpnonce' )
Makes sure the user requested an action from another page on this site.
Description
To avoid security exploits within the theme.
Parameters
- $action
-
(string) (Optional) Action nonce.
Default value: ''
- $query_arg
-
(string) (Optional) Where to look for nonce in $_REQUEST.
Default value: '_wpnonce'
Return
(bool) True if the nonce is verified, otherwise false.
Source
File: bp-core/bp-core-functions.php
function bp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) { /* Home URL **************************************************************/ // Parse home_url() into pieces to remove query-strings, strange characters, // and other funny things that plugins might to do to it. $parsed_home = parse_url( home_url( '/', ( is_ssl() ? 'https' : 'http' ) ) ); // Maybe include the port, if it's included in home_url(). if ( isset( $parsed_home['port'] ) ) { $parsed_host = $parsed_home['host'] . ':' . $parsed_home['port']; } else { $parsed_host = $parsed_home['host']; } // Set the home URL for use in comparisons. $home_url = trim( strtolower( $parsed_home['scheme'] . '://' . $parsed_host . $parsed_home['path'] ), '/' ); /* Requested URL *********************************************************/ // Maybe include the port, if it's included in home_url(). if ( isset( $parsed_home['port'] ) && false === strpos( $_SERVER['HTTP_HOST'], ':' ) ) { $request_host = $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT']; } else { $request_host = $_SERVER['HTTP_HOST']; } // Build the currently requested URL. $scheme = is_ssl() ? 'https://' : 'http://'; $requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] ); /* Look for match ********************************************************/ /** * Filters the requested URL being nonce-verified. * * Useful for configurations like reverse proxying. * * @since BuddyPress 1.9.0 * * @param string $requested_url The requested URL. */ $matched_url = apply_filters( 'bp_verify_nonce_request_url', $requested_url ); // Check the nonce. $result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false; // Nonce check failed. if ( empty( $result ) || empty( $action ) || ( strpos( $matched_url, $home_url ) !== 0 ) ) { $result = false; } /** * Fires at the end of the nonce verification check. * * @since BuddyPress 1.6.0 * * @param string $action Action nonce. * @param bool $result Boolean result of nonce verification. */ do_action( 'bp_verify_nonce_request', $action, $result ); return $result; }
Changelog
Version | Description |
---|---|
BuddyPress 1.6.0 | Introduced. |
Questions?
We're always happy to help with code or other questions you might have! Search our developer docs, contact support, or connect with our sales team.