How do i get wp nonce value for my php libcurl script

I’d like to automate some administrative task for myself on my wpmu install. For example, I’m trying to write php curl script for logging in and adding a new blog. So i’m already logged in via curl and now i want to post form that’s in wpmu-blogs.php but it has hidden wp nonce field. How do i get this value into variable? I checked source but there are more than one wp nonce hidden fields. I’m assuming that there are different nonce values for different tasks on different forms. How do i get the one i need – for adding new blog?

Related posts

Leave a Reply

2 comments

  1. The point of a nonce is to protect against a cross site forgery attack. Because of this, a new nonce value is going to be generated on a regular basis. If the nonce was predictable, it wouldn’t be effective.

    To post to a nonce enabled form using curl, you’d need to

    1. Turn on all cookie handling options (both saving cookies to a cookie jar, and sending cookies in the saved cookie jar)

    2. Make a request to the page that contains your form

    3. Using regular expressions or an HTML/XHTML parsing library, pull out the nonce value you want

    4. With that value in hand, post to the page you want, sending the nonce along

    This kind of programming can be tedious. You’re essentially trying to emulate a web browser. It’s doable, but you may want to consider

    1. Looking into the WordPress XML-RPC API. This is the supported way of doing the kind of things you’re trying to automate with CURL, and will be much more straight forward once you climb the learning curve.

    2. There’s also the AtomPub API. AtomPub is, in part, an attempt to come up with a standard way of performing common actions to weblogs and personal publishing sites. The advantage is, in theroy, scripts written for one system (WordPress) will work on another system (MovableType). The disadvantage is AtomPub features tend to lag behind/differ from features supported in each engine’s custom API.

    3. Finally, if you’re not up for leaning either API, you might want to give Selenium a try. Selenium IDE will allow you to script Firefox and have the nonce handled automatically, since you’re actually using a browser to visit each page.