phpcs error in WordPress
Yes it is correct. Escaping should be done based on context, and since wp_nonce_url() is used in an hrefas proper url, you should use esc_url.
nonce
Re-use Nonce in Repeating Event Signup Buttons
Nonces are not the way to solve your problem. You’re using it correctly. I would look at the $wpdb->insert array you’re probably using, and implement a check for data to exist that matches the proposed “new” entry. I actually set up a Twilio SMS to fire off when weird validation errors are encountered. I have … Read more
How to use the wpsnonce clone post link?
One option is to use wp_add_inline_script() to inline the action url to the page source. This can be done for example on the admin_enqueue_scripts action. In the example below I used admin_url() with wp_nonce_url() to retrieve the nonce wp-admin url and then added the query paramters to it with add_query_arg(). add_action( ‘admin_enqueue_scripts’, ‘my_admin_action_url’, 5 ); … Read more
Where to use nonce
Well actually, you just need to learn and understand what nonce is and is for, and then you would know when/where/whether you should use it. Excerpt from https://codex.wordpress.org/WordPress_Nonces: WordPress’s security tokens are called “nonces” (despite the above-noted differences from true nonces) because they serve much the same purpose as nonces do. They help protect against … Read more
How to check nonce lifetime value of plugins?
Check codex info about Nonces life time here. Here is a quick code that will echo life time of nonces in footer of your site’s front-end as html comment. Put it in your functions.php file. $n = “”; add_filter(‘nonce_life’, ‘wptuts_change_nonce_hourly’); function wptuts_change_nonce_hourly( $nonce_life ) { global $n ; $n = $nonce_life; return $nonce_life; } // … Read more
How to use nonce
most likely you should not. (ok, “don’t have to” is a better phrasing) nonce in meta box do not add any security as the whole submittion of the form happens only after the form’s nonce is verified. You might need some hidden input to be able to detect when the save filter is called from … Read more
javascript ajax and nonce
Okay, so I found a working solution which is as simple as I thought the whole process should be. The confusing WordPress codex made things harder really. The creation and naming of the nonce is as simple as: wp_create_nonce( ‘example’ ); This is passed though AJAX and localisation of the script to the PHP. Then … Read more
Restrict Access without Creating Users
I believe you are on track; add a parameter to the URL that you can test on page-load. You could create a GUID and add a table to the database where you store the email address and the GUID; this will make guessing parameters almost impossible. You could also add a timestamp to the table … Read more
Backbone with custom rest endpoints
From the documentation: Backbone.sync is the function that Backbone calls every time it attempts to read or save a model to the server. By default, it uses jQuery.ajax to make a RESTful JSON request and returns a jqXHR. The sync function may be overridden globally as Backbone.sync, or at a finer-grained level, by adding a sync function to a Backbone collection or to an … Read more
Verify a nonce in Form submission
Problem is, you are submitting data as POST data, but verifying nonce from GET data. Here is how you can create a nonce field in a form easily: wp_nonce_field( ‘add_new_addres’ ); Actually, I personally don’t use more than 1 parameter when calling the wp_nonce_field function. Then when verify use the following code: if ( ! … Read more