check_admin_referer( int|string $action = -1, string $query_arg = '_wpnonce' )

Ensures intent by verifying that a user was referred from another admin page with the correct security nonce.

Contents

Description Description

This function ensures the user intends to perform a given action, which helps protect against clickjacking style attacks. It verifies intent, not authorisation, therefore it does not verify the user’s capabilities. This should be performed with current_user_can() or similar.

If the nonce value is invalid, the function will exit with an "Are You Sure?" style message.

Parameters Parameters

$action

(int|string) (Optional) The nonce action.

Default value: -1

$query_arg

(string) (Optional) Key to check for nonce in $_REQUEST.

Default value: '_wpnonce'

Top ↑

Return Return

(false|int) False if the nonce is invalid, 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.

Top ↑

Source Source

File: wp-includes/pluggable.php 

	function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) {
		if ( -1 === $action ) {
			_doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' );
		}

		$adminurl = strtolower( admin_url() );
		$referer  = strtolower( wp_get_referer() );
		$result   = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false;

		/**
		 * Fires once the admin request has been validated or not.
		 *
		 * @since 1.5.1
		 *
		 * @param string    $action The nonce action.
		 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
		 *                          0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
		 */
		do_action( 'check_admin_referer', $action, $result );

		if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) {
			wp_nonce_ays( $action );
			die();
		}

		return $result;
	}

Expand full source code Collapse full source code View on Trac

Top ↑

Changelog Changelog

Changelog
Version Description
2.5.0 The $query_arg parameter was added.
1.2.0 Introduced.

Top ↑

Top ↑

Uses Uses

Uses
Uses Description
wp-includes/l10n.php: __()

Retrieve the translation of $text.
wp-includes/pluggable.php: wp_verify_nonce()

Verifies that a correct security nonce was used with time limit.
wp-includes/pluggable.php: check_admin_referer

Fires once the admin request has been validated or not.
wp-includes/functions.php: _doing_it_wrong()

Mark something as being incorrectly called.
wp-includes/functions.php: wp_nonce_ays()

Display “Are You Sure” message to confirm the action being taken.
wp-includes/functions.php: wp_get_referer()

Retrieve referer from ‘_wp_http_referer’ or HTTP referer.
wp-includes/link-template.php: admin_url()

Retrieves the URL to the admin area for the current site.
wp-includes/plugin.php: do_action()

Execute functions hooked on a specific action hook.
Show 3 more uses Hide more uses

Top ↑

Used By Used By

Used By
Used By Description
wp-admin/includes/post.php: use_block_editor_for_post()

Return whether the post can be edited in the block editor.
wp-admin/includes/class-wp-privacy-requests-table.php: WP_Privacy_Requests_Table::process_bulk_action()

Process bulk actions.
wp-admin/includes/privacy-tools.php: _wp_personal_data_handle_actions()

Handle list table actions.
wp-admin/includes/misc.php: set_screen_options()

Saves option for number of rows when listing posts, pages, comments, etc.
wp-admin/includes/dashboard.php: wp_dashboard_setup()

Registers dashboard widgets.
wp-admin/includes/media.php: media_upload_form_handler()

Handles form submissions for the legacy media uploader.
wp-admin/includes/media.php: wp_media_upload_handler()

Handles the process of uploading media.
wp-admin/includes/class-custom-image-header.php: Custom_Image_Header::step_2()

Display second step of custom header image page.
wp-admin/includes/class-custom-image-header.php: Custom_Image_Header::step_3()

Display third step of custom header image page.
wp-admin/includes/class-custom-image-header.php: Custom_Image_Header::take_action()

Execute custom header modification.
wp-admin/includes/class-custom-background.php: Custom_Background::take_action()

Execute custom background modification.
wp-admin/includes/class-custom-background.php: Custom_Background::handle_upload()

Handle an Image upload for the background image.
Show 7 more used by Hide more used by

Top ↑

User Contributed Notes User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note
    Contributed by Codex

    Usage in a plugin’s option page

    Here is an example of how you might use this in a plugin’s option page. You add a nonce to a form using the wp_nonce_field() function:

    <form method="post">
   <!-- some inputs here ... -->
   <?php wp_nonce_field( 'name_of_my_action','name_of_nonce_field' ); ?>
</form>

    Then in the page where the form submits to, you can verify whether or not the form was submitted and update values if it was successfully submitted:

    <?php
// if this fails, check_admin_referer() will automatically print a "failed" page and die.
if ( ! empty( $_POST ) && check_admin_referer( 'name_of_my_action', 'name_of_nonce_field' ) ) {
   // process form data, e.g. update fields
}

// Display the form

You must log in before being able to contribute a note or feedback.