Processing form data without nonce verification Error on my Function - Wordpress

viscosho Source

Here is my function:

public function save_meta( $term_id = 0, $taxonomy = '' ) {
    $meta = ! empty( $_POST['banner'] ) ? $_POST['banner'] : '';

    if ( empty( $meta ) ) {
        delete_term_meta( $term_id, 'banner' );
    } else {
        update_term_meta( $term_id, 'banner', $meta );
    }
}

And When Travis review the code it tells me that Processing form data without nonce verification. | | (WordPress.CSRF.NonceVerification.NoNonceVerification)

I tried the following but is not working:

public function save_meta( $term_id = 0, $taxonomy = '' ) {
    $meta = ! empty( $_POST['banner'] ) && wp_verify_nonce( sanitize_key( $_POST['banner'] ) ? $_POST['banner'] : '';

    if ( empty( $meta ) ) {
        delete_term_meta( $term_id, 'banner' );
    } else {
        update_term_meta( $term_id, 'banner', $meta );
    }
}

What is wrong with my code?

phpwordpresstravis-cinonce

Answers

answered 3 months ago magenta #1

The nonce is a hash of the user id, the session token, the current time and a tag generated by the function wp_create_nonce(). This hash is used to validate that the request is not conterfeit. In your case a suitable tag would be 'update-banner_' . $term_id. Your HTTP request should return this nonce as a query or post parameter. For form submission this is usually done by using a hidden field in the form. WordPress provides the convenience function wp_nonce_field() to do this. Your request handler should then verify this nonce using the function wp_verify_nonce() or the convenience function check_admin_referer(). Please read the WordPress documentation for details on calling these functions.

comments powered by Disqus