如何check_ajax_referer()真的有用吗? [英] How does check_ajax_referer() really work?
问题描述
智能字preSS人说的插件开发人员应该使用在从一个页面发送回字preSS博客(管理员-ajax.php)每个AJAX请求一个随机数。
Smart Wordpress people say that plugin developers should employ a nonce in each AJAX request that is sent from a page back to the wordpress blog (admin-ajax.php).
这是由(1)发生在服务器端一个随机数,通过
This is done by (1) generating a nonce on the server side, via
$nonce = wp_create_nonce ('my-nonce');
(2)使该随机数可用于JavaScript code发送Ajax请求。例如,你可以做到这一点是这样的:
...(2) making that nonce available to Javascript code that sends AJAX requests. For example you could do it like this:
function myplg_emit_scriptblock() {
$nonce = wp_create_nonce('myplg-nonce');
echo "<script type='text/javascript'>\n" .
" var WpPlgSettings = {\n" .
" ajaxurl : '" . admin_url( 'admin-ajax.php' ) . "',\n" .
" nonce : '" . $nonce . "'\n" .
" };\n" .
"</script>\n";
}
add_action('wp_print_scripts','myplg_emit_scriptblock');
...然后(3)的JavaScript AJAX逻辑引用的全局变量。
...and then (3) the javascript ajax logic references that global variable.
var url = WpPlgSettings.ajaxurl +
"?action=my-wp-plg-action&" +
"nonce=" + WpPlgSettings .nonce +
"docid=" + id;
$.ajax({type: "GET",
url: url,
headers : { "Accept" : 'application/json' },
dataType: "json",
cache: false,
error: function (xhr, textStatus, errorThrown) {
...
},
success: function (data, textStatus, xhr) {
...
}
});
...和最后(4)检查在所述的服务器端逻辑所接收的随机数。
...and finally (4) checking the received nonce in the server-side logic.
add_action( 'wp_ajax_nopriv_skydrv-hotlink', 'myplg_handle_ajax_request' );
add_action( 'wp_ajax_skydrv-hotlink', 'myplg_handle_ajax_request' );
function myplg_handle_ajax_request() {
check_ajax_referer( 'myplg-nonce', 'nonce' ); // <<=-----
if (isset($_GET['docid'])) {
$docid = $_GET['docid'];
$response = myplg_generate_the_response($docid);
header( "Content-Type: application/json" );
echo json_encode( $response ) ;
}
else {
$response = array("error" => "you must specify a docid parameter.");
echo json_encode( $response ) ;
}
exit;
}
但如何检查真的有用吗?
But how does the check really work?
推荐答案
修订一些AJAX程序的,我来了同样的问题。而且它的检查功能code 一个简单的问题:
Revising some AJAX procedures, I came to the same question. And it's a simple matter of checking the function code:
function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
if ( $query_arg )
$nonce = $_REQUEST[$query_arg];
else
$nonce = isset($_REQUEST['_ajax_nonce']) ? $_REQUEST['_ajax_nonce'] : $_REQUEST['_wpnonce'];
$result = wp_verify_nonce( $nonce, $action );
if ( $die && false == $result ) {
if ( defined( 'DOING_AJAX' ) && DOING_AJAX )
wp_die( -1 );
else
die( '-1' );
}
do_action('check_ajax_referer', $action, $result);
return $result;
}
如果 wp_verify_nonce 是假键,你还没有发假在 $死参数,那么它将执行 wp_die(-1); 。
If wp_verify_nonce is false and you haven't sent false in the $die parameter, then it will execute wp_die( -1 );.
在你的样品code, check_ajax_referer()将打破执行和返回 1 的AJAX调用。如果你想自己处理错误,添加参数 $死,做你的东西与 $ do_check :
In your sample code, check_ajax_referer() will break the execution and return -1 to the AJAX call. If you want to handle the error yourself, add the parameter $die and do your stuff with $do_check:
$do_check = check_ajax_referer( 'myplg-nonce', 'nonce', false );
注意,正确的方法来处理Ajax在Word preSS是:的注册,排队和的本地化使用的 wp_enqueue_scripts ,而不是 wp_print_scripts 。
<子>见<一href="http://make.word$p$pss.org/core/2011/12/12/use-wp_enqueue_scripts-not-wp_print_styles-to-enqueue-scripts-and-styles-for-the-frontend/"相对=nofollow>使用wp_enqueue_scripts()不wp_print_styles()。
Note that the proper way to handle AJAX in WordPress is: register, enqueue and localize the JavaScript files using wp_enqueue_scripts instead of wp_print_scripts.
See Use wp_enqueue_scripts() not wp_print_styles().
这篇关于如何check_ajax_referer()真的有用吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
