bp_verify_nonce_request( string $action = '', string $query_arg = '_wpnonce' )

Makes sure the user requested an action from another page on this site.

Description

To avoid security exploits within the theme.

Parameters

$action

(Optional) Action nonce.

Default value: ''

$query_arg

(Optional) Where to look for nonce in $_REQUEST.

Default value: '_wpnonce'

Return

(bool) True if the nonce is verified, otherwise false.

Source

File: bp-core/bp-core-functions.php

2233

2234

2235

2236

2237

2238

2239

2240

2241

2242

2243

2244

2245

2246

2247

2248

2249

2250

2251

2252

2253

2254

2255

2256

2257

2258

2259

2260

2261

2262

2263

2264

2265

2266

2267

2268

2269

2270

2271

2272

2273

2274

2275

2276

2277

2278

2279

2280

2281

2282

2283

2284

2285

2286

2287

2288

2289

2290

2291

2292

2293

2294

2295

2296

function bp_verify_nonce_request( $action = '', $query_arg = '_wpnonce' ) {
 
    /* Home URL **************************************************************/
 
    // Parse home_url() into pieces to remove query-strings, strange characters,
    // and other funny things that plugins might to do to it.
    $parsed_home = parse_url( home_url( '/', ( is_ssl() ? 'https' : 'http' ) ) );
 
    // Maybe include the port, if it's included in home_url().
    if ( isset( $parsed_home['port'] ) ) {
        $parsed_host = $parsed_home['host'] . ':' . $parsed_home['port'];
    } else {
        $parsed_host = $parsed_home['host'];
    }
 
    // Set the home URL for use in comparisons.
    $home_url = trim( strtolower( $parsed_home['scheme'] . '://' . $parsed_host . $parsed_home['path'] ), '/' );
 
    /* Requested URL *********************************************************/
 
    // Maybe include the port, if it's included in home_url().
    if ( isset( $parsed_home['port'] ) && false === strpos( $_SERVER['HTTP_HOST'], ':' ) ) {
        $request_host = $_SERVER['HTTP_HOST'] . ':' . $_SERVER['SERVER_PORT'];
    } else {
        $request_host = $_SERVER['HTTP_HOST'];
    }
 
    // Build the currently requested URL.
    $scheme        = is_ssl() ? 'https://' : 'http://';
    $requested_url = strtolower( $scheme . $request_host . $_SERVER['REQUEST_URI'] );
 
    /* Look for match ********************************************************/
 
    /**
     * Filters the requested URL being nonce-verified.
     *
     * Useful for configurations like reverse proxying.
     *
     * @since BuddyPress 1.9.0
     *
     * @param string $requested_url The requested URL.
     */
    $matched_url = apply_filters( 'bp_verify_nonce_request_url', $requested_url );
 
    // Check the nonce.
    $result = isset( $_REQUEST[$query_arg] ) ? wp_verify_nonce( $_REQUEST[$query_arg], $action ) : false;
 
    // Nonce check failed.
    if ( empty( $result ) || empty( $action ) || ( strpos( $matched_url, $home_url ) !== 0 ) ) {
        $result = false;
    }
 
    /**
     * Fires at the end of the nonce verification check.
     *
     * @since BuddyPress 1.6.0
     *
     * @param string $action Action nonce.
     * @param bool   $result Boolean result of nonce verification.
     */
    do_action( 'bp_verify_nonce_request', $action, $result );
 
    return $result;
}

Expand full source code Collapse full source code

Changelog

Changelog
Version	Description
BuddyPress 1.6.0	Introduced.

Uses

Uses
Uses	Description
bp-core/bp-core-functions.php: bp_verify_nonce_request_url	Filters the requested URL being nonce-verified.
bp-core/bp-core-functions.php: bp_verify_nonce_request	Fires at the end of the nonce verification check.

Used By
Used By	Description
bp-notifications/screens/read.php: bp_notifications_action_mark_unread()	Handle marking single notifications as unread.
bp-notifications/screens/unread.php: bp_notifications_action_mark_read()	Handle marking single notifications as read.
bp-notifications/actions/delete.php: bp_notifications_action_delete()	Handle deleting single notifications.
bp-messages/actions/unread.php: bp_messages_action_mark_unread()	Handle marking a single message thread as unread.
bp-messages/actions/read.php: bp_messages_action_mark_read()	Handle marking a single message thread as read.
bp-members/screens/register.php: bp_core_screen_signup()	Handle the loading of the signup screen.

Show 1 more used by Hide more used by

Questions?

We're always happy to help with code or other questions you might have! Search our developer docs, contact support, or connect with our sales team.

Contents