check_admin_referer( int|string $action = -1, string $query_arg = '_wpnonce' )

Makes sure that a user was referred from another admin page.


Description Description

To avoid security exploits.


Parameters Parameters

$action

(int|string) (Optional) Action nonce.

Default value: -1

$query_arg

(string) (Optional) Key to check for nonce in $_REQUEST (since 2.5).

Default value: '_wpnonce'


Top ↑

Return Return

(false|int) False if the nonce is invalid, 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.


Top ↑

Source Source

File: wp-includes/pluggable.php

function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
	if ( -1 == $action )
		_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );

	$adminurl = strtolower(admin_url());
	$referer = strtolower(wp_get_referer());
	$result = isset($_REQUEST[$query_arg]) ? wp_verify_nonce($_REQUEST[$query_arg], $action) : false;

	/**
	 * Fires once the admin request has been validated or not.
	 *
	 * @since 1.5.1
	 *
	 * @param string    $action The nonce action.
	 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
	 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
	 */
	do_action( 'check_admin_referer', $action, $result );

	if ( ! $result && ! ( -1 == $action && strpos( $referer, $adminurl ) === 0 ) ) {
		wp_nonce_ays( $action );
		die();
	}

	return $result;
}

Top ↑

Changelog Changelog

Changelog
Version Description
1.2.0 Introduced.


Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note content
    Contributed by Codex

    Usage in a plugin’s option page

    Here is an example of how you might use this in a plugin’s option page. You add a nonce to a form using the wp_nonce_field() function:

    <form method="post">
       <!-- some inputs here ... -->
       <?php wp_nonce_field( 'name_of_my_action','name_of_nonce_field' ); ?>
    </form>
    

    Then in the page where the form submits to, you can verify whether or not the form was submitted and update values if it was successfully submitted:

    <?php
    // if this fails, check_admin_referer() will automatically print a "failed" page and die.
    if ( ! empty( $_POST ) && check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' ) ) {
       // process form data, e.g. update fields
    }
    
    // Display the form
    

You must log in before being able to contribute a note or feedback.