wp_nonce_field函数详解

Wayne Shen

wp_nonce_field( int|string $action = -1, string $name = ‘_wpnonce’, bool $referer = true, bool $echo = true )

Retrieve or display nonce hidden field for forms.检索或显示表格的临时隐藏字段。是wp表格的自带验证,可以有效防止注册、提交等动作。

The nonce field is used to validate that the contents of the form came from the location on the current site and not somewhere else. The nonce does not offer absolute protection, but should protect against most cases. It is very important to use nonce field in forms.

The $action and $name are optional, but if you want to have better security, it is strongly suggested to set those two parameters. It is easier to just call the function without any parameters, because validation of the nonce doesn’t require any parameters, but since crackers know what the default is it won’t be difficult for them to find a way around your nonce and cause damage.

The input name will be whatever $name value you gave. The input value will be the nonce creation value.

nonce字段用于验证表单的内容是否来自当前站点上的位置,而不是其他位置。nonce不能提供绝对的保护,但应该可以防止大多数情况。在表单中使用nonce字段非常重要。

$action和$name是可选的,但是如果您想要更好的安全性,强烈建议您设置这两个参数。只调用不带任何参数的函数更容易,因为验证nonce不需要任何参数,但是由于破解者知道默认值是什么,所以他们很容易找到绕过nonce的方法并造成损害。

输入名称将是您给定的$name值。输入值将是nonce创建值。

参数解释:

$action

(int|string) (Optional) Action name.

Default value: -1$name

(string) (Optional) Nonce name.

Default value: ‘_wpnonce’$referer

(bool) (Optional) Whether to set the referer field for validation.

Default value: true$echo

(bool) (Optional) Whether to display or return hidden form field.

Default value: true

Anytime you submit form data and you add it todatabase it’s a good idea to use wp’s nonce field generate a unique ID it’s for the functions so that you know the not being posted you are not geting data posted from a malicious script.(恶意脚本)

用表格的话用wp_nonce_field增加安全。