Do I need a nonce field for every meta box I add to my custom post type admin?

I’m currently working on the admin page of my custom post type, and I got stuck on deciding whether to add a nonce field again for the second metabox or not. I’m very new to custom post types, and searching online about this doesn’t really yield that many results.

Any thoughts? Thanks.

Related posts

Leave a Reply

4 comments

  1. I would recommend so.

    You do (and should) have your own nonce with which to check the origin of the data and the intent of the user. If you have just one nonce for a metabox – then you run into problems if that metabox is removed (not the same as hidden). If removed the second metabox will (or at least should) never save since the nonce is longer sent.

    Of course from a security point of view, nothing is added by a second nonce – unless you ever wish to only update one metabox and not the other: nonces should be unique to the action.


    Edit

    As pointed out there is only one form for the post edit screen. So, in theory, you only need one nonce field with which to validate the action and the origin of the data. However, since metaboxes can be removed – by having a nonce field in only one metabox there is no guarantee the nonce will be there. By placing a nonce field in each metabox you can check if data from that metabox has been sent (and is actually from where you think it is) prior to processing any data. E.g:

    save_post_call_back($post_id){
    
      //Check this is not an auto-save route
    
      if(nonce of metabox1 present and valid){
         //Process data from metabox1
      }else{
        //Either metabox removed - or invalid nonce. Take no action.
      }
    
      if(nonce of metabox2 present and valid){
         //Process data from metabox2
      }else{
        //Either metabox removed - or invalid nonce. Take no action.
      }
    
    }
    

    The name of the nonce field should be unique to the metabox (and not clash with any other nonces that are present on the form from other plug-ins).

    The nonce value should be unique to the action (and this generally should include the origin of the data (e.g. edit-post as opposed to quick-edit)). I generally include the post ID too.

  2. You could also hook the submit box that never dissapears adding the nonce field to it

    add_action( 'post_submitbox_start', 'theme_submitdiv_extra' );
    function theme_submitdiv_extra()
    {
      wp_nonce_field( 'theme_meta_box_nonce', 'meta_box_nonce' );
    }
    

    Then, in your save_post action:

    if( !isset( $_POST['meta_box_nonce'] ) || !wp_verify_nonce( $_POST['meta_box_nonce'], 'theme_meta_box_nonce' ) ) return;
    
  3. In WP 3.5.2 The whole edit page is wrapped in a form-tag so you should NOT add your own form-tags !! If still do that and try to add another separate custom meta box it will fail when saving and only lead you to wp-admin home when trying to save!!

    Also Do NOT add the NONCE field either as there is only supposed to be one per form (this also might make it fail!!) And the page edit already has a nonce field!

    Edit:

    The thing is 1) since there is only one Form-tag for the whole edit screen, as the correct answer author has admitted, and 2) it automatically has an nonce added to it. Why would you have to add more? It will always have the nonce no matter what…

    The intent is in my view to edit the page by content or meta data eg. one nonce field… Also when I tried to add more it doesn’t even work with multiple meta-boxes!! One will work and the other will fail and only redirect the user to wp-admin home!