最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客

nonce in custom form is not verifying

programmeradmin5浏览0评论

I have a shortcode which calls an html form:

function add_signup_form () {
    require_once ( "apps/registration_form.php");
    return signup_form();
}
add_shortcode( 'add_signup_form', 'add_signup_form' );

The form loads on the WordPress page just fine. But when the form is submitted the nonce is not validating.

function signup_form() {     
    $form = '<form action="'.plugins_url().'/sunday-signup/apps/save_registration.php" method="post" id="setting">
                 ' . wp_nonce_field( "register","registration_nonce" ). '  
    ...
    <input type="submit" name="submit_registration" value="Save Reservation" class="button">
    </form>';
    
    return $form;
}

in the processing .php I'm able to print_r($_POST) and see the value of the nonce and other fields, but my condition won't satisfy.:

if ( isset($_POST['submit_registration']) ) {

    if ( wp_verify_nonce( $_POST['registration_nonce'], 'register' ) ) {

I've done this many times, but never using a shortcode. Is that the issue?

Update:

As it turns out, it had nothing to do with nounces, but all WordPress functions were "undefined." Once I added the following to the top of my script, everything worked.

require_once $_POST['root_dir'].'/wp-load.php';

I have a shortcode which calls an html form:

function add_signup_form () {
    require_once ( "apps/registration_form.php");
    return signup_form();
}
add_shortcode( 'add_signup_form', 'add_signup_form' );

The form loads on the WordPress page just fine. But when the form is submitted the nonce is not validating.

function signup_form() {     
    $form = '<form action="'.plugins_url().'/sunday-signup/apps/save_registration.php" method="post" id="setting">
                 ' . wp_nonce_field( "register","registration_nonce" ). '  
    ...
    <input type="submit" name="submit_registration" value="Save Reservation" class="button">
    </form>';
    
    return $form;
}

in the processing .php I'm able to print_r($_POST) and see the value of the nonce and other fields, but my condition won't satisfy.:

if ( isset($_POST['submit_registration']) ) {

    if ( wp_verify_nonce( $_POST['registration_nonce'], 'register' ) ) {

I've done this many times, but never using a shortcode. Is that the issue?

Update:

As it turns out, it had nothing to do with nounces, but all WordPress functions were "undefined." Once I added the following to the top of my script, everything worked.

require_once $_POST['root_dir'].'/wp-load.php';
Share Improve this question edited Jul 20, 2020 at 16:48 breadwild asked Jul 16, 2020 at 2:14 breadwildbreadwild 3915 silver badges22 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 3

Not sure if this answers the question, but you should call wp_nonce_field() with the fourth parameter ($echo) set to false:

// You are concatenating or not directly echoing the output, so:
. wp_nonce_field( 'register', 'registration_nonce', true, false ) .

And I said "not sure" because you said the posted data ($_POST) did include the nonce field, so check the form source (HTML) and make sure the nonce field is not being used twice or more, e.g.

<!-- 'register' action: wp_nonce_field( 'register', 'registration_nonce', true, false ) -->
<input ... name="registration_nonce" value="nonce" />
...
<!-- A different action: wp_nonce_field( 'foo-bar', 'registration_nonce', true, false ) -->
<input ... name="registration_nonce" value="nonce2" />

So in that case, assuming the valid action is register, then wp_verify_nonce( $_POST['registration_nonce'], 'register' ) is going to fail because the second nonce field above (for the foo-bar action) overrides the first one (for the register action).

Update

So you confirmed the duplicate nonce field issue indeed occurred, but now after you fixed that issue, you're getting the error 500 on your form processing page, which I'm assuming is your custom sunday-signup/apps/save_registration.php file?

If so, then you should actually not submit to a static PHP file. Instead, use one of the early (or on-page-load) hooks in WordPress like template_redirect to process the form submission.

// Example using the template_redirect hook:
add_action( 'template_redirect', function () {
    if ( isset( $_POST['submit_registration'], $_POST['registration_nonce'] ) ) {
        if ( wp_verify_nonce( $_POST['registration_nonce'], 'register' ) ) {
            // your code here
            // ...

            // then redirect back, maybe..
            wp_redirect( wp_get_referer() );
            exit;
        } else {
            echo 'test error';
            exit;
        }
    }
} );

The above example should work, but the actual code which processes the form submission is all up to you. Just make sure you call wp_verify_nonce() and other WordPress functions in the right place.

发布评论

评论列表(0)

  1. 暂无评论