One problem with performing database interactions from form pages is that it can subject our site to potential attacks. There is a particular type of attack called a cross-site request forgery, or CSRF. It's basically where someone spoofs a request to make it look like it's coming from your form page and going to your submission page, and then they can wreak all kinds of havoc that way. WordPress has a built-in methodology to handle this called nonces. And even though the form submission that we are using in our cc-comments plugin is the pre-2.7 way, I wanted to show it to you for the simple reason that understanding nonces work can be really helpful.
So let's go back and take a look at our form. What we were doing was we were submitting this hidden field, and this hidden field we'd then check for and then submit it. Well, anyone could pretend to generate this form and send it. However, if we use a special function call wp_nonce_field, we can essentially have it generate a hidden field, and a key will be populated, a nonce, or a number used once. So we are going to give it a specific id. So cccomm_admin_options-update.
So this will generate our field for us. Then to validate it on the submission side, we can use a special function called check_admin_referer, and then we pass to it the same ID that we used for submitting it. So what it will do then is it will look to see that it's a valid key that it has generated, and it will then process this. So this allows for a more secure way to do it. One of the advantages of understanding nonces is that when you get into jQuery and using AJAX--or you can use one of the other libraries with AJAX--it's a good practice to use nonces, and this check_ admin_referer is basically how you do it.
So it's very simple to repeat this on the same methodology, using AJAX. For maximum security of form submissions, it's a best practice to use nonces, or numbers used once. WordPress is going to automatically generate a key, and then it will check for a match on submission. When you do this with post WordPress 2.7, it's actually quite easier, and we will look at that in the next video. It automatically handles this for you. However, it's good to understand the concept of nonces.
Get unlimited access to all courses for just $25/month.Become a member
82 Video lessons · 98806 Viewers
61 Video lessons · 86122 Viewers
71 Video lessons · 69975 Viewers
56 Video lessons · 102223 Viewers
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Your file was successfully uploaded.