This is a very basic nonce setup for a plugin:
Create your nonce input in the form:
wp_nonce_field( basename(__FILE__), $nonce_key );
Then check your nonce once submitted:
if ( empty($_POST[$nonce_key]) || ! wp_verify_nonce( $_POST[$nonce_key], basename(__FILE__) ) ) return;
basename(FILE) just uses the current filename (eg: plugin_options.php) to create the nonce string. You need to provide a string that the nonce function will use to create a number unique to your task. The string you use to create the nonce number needs to be the same string you use check it.
You could create a custom string as well, for example: “demononce9384374”, as long as you can use it to create the nonce and then check it later. It can remain constant in your plugin, it doesn’t ever need to change. The nonce uses other variables to change the nonce string such as user id and time.
So in my example, “basename(FILE)” is my string, and will remain constant unless I am setting and checking in two different files, then it would cause a problem.
So your example should work great.
I think you are pretty covered. Outlining the correct capabilities (manage_options) in your “add_options_page” function and correctly checking the nonce should be good.
Edit: Escaping
It just occurred to me that I left a topic of security: Escaping
When you are outputting information to the page that has been submitted by a user, even on the backend.
These two functions are what I use most:
esc_attr() & esc_html()
You can also add translation with esc_attr__() or esc_attr_e() & esc_html__() or esc_html_e()
For example:
value="<?php echo $options['invalid'] ? esc_attr($_POST[DEMONONCE]['option_a']) : esc_attr($options['option_a']); ?>"
More here:
http://markjaquith.wordpress.com/2009/06/12/escaping-api-updates-for-wordpress-2-8/