When trying to create a custom metabox, adding custom columns, managing custom columns and finally saving the post. Where do we need to pass the nonce. To make my question clearer.
This is not correct, you shouldn’t need a nonce in a metabox because all that information is sent at once in the full request when updating or publishing, and WP already handles that for you.
I think the confusion here is that it was never explained what a nonce is supposed to protect against, and why it’s used.
In the days of myspace, you could put an image tag in your profile, and set src="http://myspace.com/logout"
, and everybody who visited your profile would get logged out.
A nonce on the other hand, is a time sensitive value, that protects against this by ensuring that you clicked the button, or did the thing because you actually clicked the thing, and not because of an CSRF attack.
So if you’re doing something that does something, then yes use a nonce. If you’re just reading values, then no, there’s no need. More than one nonce doesn’t add protection either, hence metaboxes
Also, check_admin_referer
and wp_nonce_verify
are not the same:
wp_nonce_verify
literally just checks the noncecheck_admin_referer
callswp_nonce_verify
internally, but it also does things based on the result, and will exit/abort if it fails, and it also checks the referer valueswp_nonce_verify
only checks the nonce and returns true/false, it’s up to you to do something with that value
the same with wp_create_nonce
and wp_nonce_field
wp_create_nonce
creates a nonce value. It’s up to you to do something with itwp_nonce_field
outputs an entire hidden field, and callswp_create_nonce
internally, and does some other stuff
Think of them as the difference between buy_brick()
and build wall()