Start learning with our library of video tutorials taught by experts. Get started
Viewed by members. in countries. members currently watching.
In WordPress: Creating Custom Widgets and Plugins with PHP, Drew Falkman teaches PHP developers how to create custom functionality for WordPress 2.0 through 3.0 using widgets and plugins. This course starts by installing and setting up WordPress 3.0 on both Mac and Windows, then provides an in-depth look at tasks related to these WordPress add-ons: installing and administering, building and customizing, creating editable options and database tables, working with posts and pages, and utilizing jQuery and AJAX. There are also tutorials dedicated to promoting a widget or plugin, adding security, and localizing the interface. Exercise files are included with the course.
One problem with performing database interactions from form pages is that it can subject our site to potential attacks. There is a particular type of attack called a cross-site request forgery, or CSRF. It's basically where someone spoofs a request to make it look like it's coming from your form page and going to your submission page, and then they can wreak all kinds of havoc that way. WordPress has a built-in methodology to handle this called nonces. And even though the form submission that we are using in our cc-comments plugin is the pre-2.7 way, I wanted to show it to you for the simple reason that understanding nonces work can be really helpful.
So let's go back and take a look at our form. What we were doing was we were submitting this hidden field, and this hidden field we'd then check for and then submit it. Well, anyone could pretend to generate this form and send it. However, if we use a special function call wp_nonce_field, we can essentially have it generate a hidden field, and a key will be populated, a nonce, or a number used once. So we are going to give it a specific id. So cccomm_admin_options-update.
So this will generate our field for us. Then to validate it on the submission side, we can use a special function called check_admin_referer, and then we pass to it the same ID that we used for submitting it. So what it will do then is it will look to see that it's a valid key that it has generated, and it will then process this. So this allows for a more secure way to do it. One of the advantages of understanding nonces is that when you get into jQuery and using AJAX--or you can use one of the other libraries with AJAX--it's a good practice to use nonces, and this check_ admin_referer is basically how you do it.
So it's very simple to repeat this on the same methodology, using AJAX. For maximum security of form submissions, it's a best practice to use nonces, or numbers used once. WordPress is going to automatically generate a key, and then it will check for a match on submission. When you do this with post WordPress 2.7, it's actually quite easier, and we will look at that in the next video. It automatically handles this for you. However, it's good to understand the concept of nonces.
Find answers to the most frequently asked questions about WordPress: Creating Custom Widgets and Plugins with PHP.
Here are the FAQs that matched your search "":
Sorry, there are no matches for your search ""—to search again, type in another word or phrase and click search.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.