I have a shortcode which calls an html form:
function add_signup_form () {
require_once ( "apps/registration_form.php");
return signup_form();
}
add_shortcode( 'add_signup_form', 'add_signup_form' );
The form loads on the WordPress page just fine. But when the form is submitted the nonce is not validating.
function signup_form() {
$form = '<form action="'.plugins_url().'/sunday-signup/apps/save_registration.php" method="post" id="setting">
' . wp_nonce_field( "register","registration_nonce" ). '
...
<input type="submit" name="submit_registration" value="Save Reservation" class="button">
</form>';
return $form;
}
in the processing .php I'm able to print_r($_POST) and see the value of the nonce and other fields, but my condition won't satisfy.:
if ( isset($_POST['submit_registration']) ) {
if ( wp_verify_nonce( $_POST['registration_nonce'], 'register' ) ) {
I've done this many times, but never using a shortcode. Is that the issue?
Update:
As it turns out, it had nothing to do with nounces, but all WordPress functions were "undefined." Once I added the following to the top of my script, everything worked.
require_once $_POST['root_dir'].'/wp-load.php';
I have a shortcode which calls an html form:
function add_signup_form () {
require_once ( "apps/registration_form.php");
return signup_form();
}
add_shortcode( 'add_signup_form', 'add_signup_form' );
The form loads on the WordPress page just fine. But when the form is submitted the nonce is not validating.
function signup_form() {
$form = '<form action="'.plugins_url().'/sunday-signup/apps/save_registration.php" method="post" id="setting">
' . wp_nonce_field( "register","registration_nonce" ). '
...
<input type="submit" name="submit_registration" value="Save Reservation" class="button">
</form>';
return $form;
}
in the processing .php I'm able to print_r($_POST) and see the value of the nonce and other fields, but my condition won't satisfy.:
if ( isset($_POST['submit_registration']) ) {
if ( wp_verify_nonce( $_POST['registration_nonce'], 'register' ) ) {
I've done this many times, but never using a shortcode. Is that the issue?
Update:
As it turns out, it had nothing to do with nounces, but all WordPress functions were "undefined." Once I added the following to the top of my script, everything worked.
require_once $_POST['root_dir'].'/wp-load.php';
1 Answer
Reset to default 3Not sure if this answers the question, but you should call wp_nonce_field() with the fourth parameter ($echo) set to false:
// You are concatenating or not directly echoing the output, so:
. wp_nonce_field( 'register', 'registration_nonce', true, false ) .
And I said "not sure" because you said the posted data ($_POST) did include the nonce field, so check the form source (HTML) and make sure the nonce field is not being used twice or more, e.g.
<!-- 'register' action: wp_nonce_field( 'register', 'registration_nonce', true, false ) -->
<input ... name="registration_nonce" value="nonce" />
...
<!-- A different action: wp_nonce_field( 'foo-bar', 'registration_nonce', true, false ) -->
<input ... name="registration_nonce" value="nonce2" />
So in that case, assuming the valid action is register, then wp_verify_nonce( $_POST['registration_nonce'], 'register' ) is going to fail because the second nonce field above (for the foo-bar action) overrides the first one (for the register action).
Update
So you confirmed the duplicate nonce field issue indeed occurred, but now after you fixed that issue, you're getting the error 500 on your form processing page, which I'm assuming is your custom sunday-signup/apps/save_registration.php file?
If so, then you should actually not submit to a static PHP file. Instead, use one of the early (or on-page-load) hooks in WordPress like template_redirect to process the form submission.
// Example using the template_redirect hook:
add_action( 'template_redirect', function () {
if ( isset( $_POST['submit_registration'], $_POST['registration_nonce'] ) ) {
if ( wp_verify_nonce( $_POST['registration_nonce'], 'register' ) ) {
// your code here
// ...
// then redirect back, maybe..
wp_redirect( wp_get_referer() );
exit;
} else {
echo 'test error';
exit;
}
}
} );
The above example should work, but the actual code which processes the form submission is all up to you. Just make sure you call wp_verify_nonce() and other WordPress functions in the right place.