Just before I start please note that I am new at any type of WordPress/PHP security. Few days ago friend of mine asked me to create Theme Options for his Theme, all set and working fine, however he had few minor issues with his Theme in the past and I would like to make sure that Nonce and check_admin_referer is set properly.
Here is what I used:
http://codex.wordpress.org/Function_Reference/check_admin_referer http://codex.wordpress.org/WordPress_Nonces
And now my question is: where exactly wp_nonce_field needs to be in and where check_admin_referer?
Before the form start I have:
if ( !empty($_POST) && check_admin_referer('crt_nonce') )
{
$saved = false;
if ( isset( $_REQUEST['action'] ) && 'save' == $_REQUEST['action'] ) {
and just before form closes the wp_nonce_field
<form action="" id="save" method="post">
<?php wp_nonce_field('crt_nonce'); ?>
</form>
There are few articles about this around, but they don’t help me at all. If anyone can and wants to assist me here I would very much appreciated. And I will do my best to follow your instructions religiously and try to avoid more questions 😉
PS Oh, so that I don’t forget 🙂 wp_nonce_field and check_admin_referer needs to be set once correct, not for each field options that I’ve created?
Thanks,
Draga
It’s not exactly answer to your question but I suggest you check out Settings API instead. It’s not ideal (a little too verbose), but it’s very structured approach so it’s easier to get nice consistent looking form and harder to get security wrong.
Chip Bennett had published thorough tutorial that shows step by step how to use it for theme options page.
You could use
wp_verify_nonceto verify the nonce http://codex.wordpress.org/Function_Reference/wp_verify_nonce