check_ajax_referer

函数
check_ajax_referer ( $action = -1, $query_arg = false, $die = true )
参数
  • (int|string) $action Action nonce.
    Required:
    Default: -1
  • (false|string) $query_arg Optional. Key to check for the nonce in `$_REQUEST` (since 2.5). If false, `$_REQUEST` values will be evaluated for '_ajax_nonce', and '_wpnonce' (in that order). Default false.
    Required:
    Default: false
  • (bool) $die Optional. Whether to die early when the nonce cannot be verified. Default true.
    Required:
    Default: true
返回值
  • (int|false) 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. False if the nonce is invalid.
定义位置
相关方法
check_admin_referercheck_password_reset_keywp_get_raw_refererwp_get_refererwp_ajax_parse_embed
引入
2.0.3
弃用
-

check_ajax_referer: 这个函数检查所提供的nonce(一种特殊的安全令牌)是否与WordPress在前一个页面加载时生成的nonce相匹配。它是用来防止跨站请求伪造(CSRF)攻击的。

验证Ajax请求,以防止处理博客外部的请求。

function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
		if ( -1 == $action ) {
			_doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '4.7.0' );
		}

		$nonce = '';

		if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) ) {
			$nonce = $_REQUEST[ $query_arg ];
		} elseif ( isset( $_REQUEST['_ajax_nonce'] ) ) {
			$nonce = $_REQUEST['_ajax_nonce'];
		} elseif ( isset( $_REQUEST['_wpnonce'] ) ) {
			$nonce = $_REQUEST['_wpnonce'];
		}

		$result = wp_verify_nonce( $nonce, $action );

		/**
		 * Fires once the Ajax request has been validated or not.
		 *
		 * @since 2.1.0
		 *
		 * @param string    $action The Ajax nonce action.
		 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
		 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
		 */
		do_action( 'check_ajax_referer', $action, $result );

		if ( $die && false === $result ) {
			if ( wp_doing_ajax() ) {
				wp_die( -1, 403 );
			} else {
				die( '-1' );
			}
		}

		return $result;
	}
endif;

if ( ! function_exists( 'wp_redirect' ) ) :
	/**
	 * Redirects to another page.
	 *
	 * Note: wp_redirect() does not exit automatically, and should almost always be
	 * followed by a call to `exit;`:
	 *
	 *     wp_redirect( $url );
	 *     exit;
	 *
	 * Exiting can also be selectively manipulated by using wp_redirect() as a conditional
	 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters:
	 *
	 *     if ( wp_redirect( $url ) ) {
	 *         exit;
	 *     }
	 *
	 * @since 1.5.1
	 * @since 5.1.0 The `$x_redirect_by` parameter was added.
	 * @since 5.4.0 On invalid status codes, wp_die() is called.
	 *
	 * @global bool $is_IIS
	 *
	 * @param string $location      The path or URL to redirect to.
	 * @param int    $status        Optional. HTTP response status code to use. Default '302' (Moved Temporarily).
	 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'.
	 * @return bool False if the redirect was canceled, true otherwise.
	 */

常见问题

FAQs
查看更多 >