while my first steps with wp nonce field i tried the "Basic Examples" from https://developer.wordpress.org/reference/functions/wp_nonce_field/
it says there: "simplest implementation which omits all arguments"
at the bottom of my htdocs/wp-content/plugins/abcd-plugin/abcd-plugin.php
i wrote:
function hi_in_wp_head() {
?>
<form name="f1">
<input name="i1" value="hi_in_wp_head">
<input type="submit" name="s1">
<?php wp_nonce_field('name_of_your_action', 'name_of_your_nonce_field'); ?>
</form>
<?php
if(wp_verify_nonce($_REQUEST['name_of_your_nonce_field'], 'name_of_your_action')){
// Nonce is matched and valid. do whatever you want now.
} else {
// Invalid nonce. you can throw an error here.
die("ups 19-02-28_17-09");
}
}
function hi_in_footer() {
echo '<h1>hi_in_footer</h1>';
}
complete source:
https://gist.github.com/f9f0a853f0a71c5a2055b88802a1010c
this looks like this in the web browser:
<meta name="generator" content="WordPress 5.0.3" />
<form name="f1">
<input name="i1" value="hi_in_wp_head">
<input type="submit" name="s1">
<input type="hidden" id="name_of_your_nonce_field" name="name_of_your_nonce_field" value="5a82357118" /><input type="hidden" name="_wp_http_referer" value="/wordpress/alecaddd-plugin.php" /> </form>
<br />
<b>Notice</b>: Undefined index: name_of_your_nonce_field in <b>G:\Bitnami\wordpress-5.0.3-2\apps\wordpress\htdocs\wp-content\plugins\alecaddd-plugin\alecaddd-plugin.php</b> on line <b>89</b><br />
ups 19-02-28_17-09
Undefined index: name_of_your_nonce_field during first basic example with
I do not know where the error comes from. what i could do?
As the error message states, $_REQUEST['name_of_your_nonce_field'] isn't set. You need to make sure it's set before using it:
function hi_in_wp_head() {
?>
<form name="f1">
<input name="i1" value="hi_in_wp_head">
<input type="submit" name="s1">
<?php wp_nonce_field('name_of_your_action', 'name_of_your_nonce_field'); ?>
</form>
<?php
if(isset($_REQUEST['name_of_your_nonce_field']) {
if(wp_verify_nonce($_REQUEST['name_of_your_nonce_field'], 'name_of_your_action')){
// Nonce is matched and valid. do whatever you want now.
} else {
// Invalid nonce. you can throw an error here.
die("ups 19-02-28_17-09");
}
}
}
$_REQUEST['name_of_your_nonce_field'] will be set after your form gets submitted. That's why you need the extra check.
Related
EDITED WITH UPDATED CODE: STILL NO SOLUTION
Can anyone spot the error in this code please?
custom-page.php:
<form name="customForm">
<?php wp_nonce_field('code_check', 'codecheck'); ?>
Validation Code:<br>
<input type="password" name="inputcode" id="inputcode" maxlength="6" inputmode="numeric">
<input type="text" name="message" id="message" style="display:none; background-color: #FFCCCC;"><br>
<input type="button" name="submitbutton" value="Submit" onClick="customfunction()">
</form>
custom.js:
function customfunction() {
const userInput = document.addStamp.inputcode.value;
const token = document.addStamp.codecheck.value;
fetch(`http://...../wp-json/api/v1/custom?code=${userInput}&token=${token}`).then(r => r.json()).then(data => {
......
API file.php:
public function custom($request)
{
$params = $request->get_params();
$retrieved_nonce = $params[token];
if($retrieved_nonce) {
if (!wp_verify_nonce($retrieved_nonce, 'code_check' ) ) die( 'Failed security check' );
}
....
Everything works fine until I added in the nonce verify code to the api request.
Now when I click on "submit" button, it does not submit and I get in console:
Uncaught (in promise) SyntaxError: Unexpected token F in JSON at position 0
So it is failing as "F" is point 0 of the failure message.
However, if I output "$retrieved_nonce" I actually get the nonce value as shown in my page source code, so it looks like it is getting to the endpoint?
I have tried logging out and back in but no change.
Do I have this code set up wrong?
You can try.
Form.
<form name="customForm" method="post">
<?php wp_nonce_field('code_check', 'code_check'); ?>
Validation Code:<br>
<input type="password" name="inputcode" id="inputcode" maxlength="6" inputmode="numeric">
<input type="text" name="message" id="message" style="display:none; background-color: #FFCCCC;"><br>
<input type="button" name="submitbutton" value="Submit" onClick="customfunction()">
</form>
In customfunction function also send the wp_nonce_field filed value like.
function customfunction() {
const userInput = document.customForm.inputcode.value;
const code_check = document.customForm.code_check.value;
fetch('http://...../wp-json/api/v1/custom?code='+userInput+'&code_check'+code_check).then(r => r.json()).then(data => {
Now in validate the wp_nonce_field field value
public function custom($request)
{
$retrieved_nonce = $request['code_check'];
if (!wp_verify_nonce($retrieved_nonce, 'code_check' ) ) die( 'Failed
security check' );
/***
you can also try
if ( isset( $request['code_check'] ) || wp_verify_nonce( $request['code_check'], 'code_check' ) )
*******/
}
I noticed a strange bug when testing out one of our Wordpress apps.
I have a form with an input field and if I type a number such as "3" anywhere in the input text Wordpress will throw a 404:
<input name="author" type="text" />
If I change the name attribute from author to anything else, it works fine:
<input name="bob" type="text" />
I'm not a Wordpress guru or even a PHP dev so I apologize if this is trivial. I've stripped out everything possible from this PHP page. Is there some Wordpress magic going on here where "author" is some sort of reserved word? Here's the entire PHP file (the header is a simple nav-bar and the footer just calls wp_footer()....):
<?php
/**
* Template Name: MyTemplate
*/
get_header();
if(isset($_POST['submitted'])):
echo "<H4>Submitted!</H4>";
else:
?>
<form id="my-form" action="<?php the_permalink(); ?>" method="post">
<input name="author" type="text" /><br/><br/>
<input type="hidden" name="submitted" id="submitted" value="true" />
<input type="submit" value="Submit"/>
</form>
<?php
endif;
get_footer();
OK wow.. So it looks like there are reserved words in form posts:
http://codex.wordpress.org/Function_Reference/register_taxonomy#Reserved_Terms
Sorry for such a novice question.
If I want to get $_POST['username'] I write $this->request->getPost('username');. But how I must write to get $_POST['profile']['username']?
$this->request->getPost('profile')['username'];
To be certain to avoid invalid key errors:
$profile = $this->request->getPost('profile');
$username = isset($profile['username']) ? $profile['username'] : null;
It's important to setup your form properly. You don't use [ ] around 'profile.' The php side won't know what to do with it if you post [profile][username]. It has to be profile[username]
<input type="text" name="profile[username]" value="jsmith" />
<input type="text" name="profile[password]" value="******" />
<?php
$profile = $this->request->getPost('profile');
echo $profile['username'];
?>
Output: "jsmith"
For multidimensional you would add a key of your own to base it on.
<input type="text" name="profile[first][username]" value="jsmith" />
<input type="text" name="profile[first][password]" value="******" />
<?php
$profile = $this->request->getPost('profile');
echo $profile['first']['username'];
?>
Output: "jsmith"
This is no way. Because, I use $this->request->getPost('useremail', 'email') for checking post data.
I have two files the one which hosts my actual contact form and then a file where i post the form to.
contactform.php (which is part of the footer template)
<form id="contact" action="<?php bloginfo('template_url'); ?>/sendmail.php" method="post">
<label for="name">Your name: *</label>
<input type="text" id="nameinput" name="name" value=""/>
<label for="email">Your email: *</label>
<input type="text" id="emailinput" name="email" value=""/>
<label for="comment">Your message: *</label>
<textarea cols="20" rows="7" id="commentinput" name="comment"> </textarea><br />
</form>
sendmail.php
<?PHP
if(isset($_POST['submit'])) {
error_reporting(E_NOTICE);
function valid_email($str)
{
return ( ! preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*#([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $str)) ? FALSE : TRUE;
}
if($_POST['name']!='' && $_POST['email']!='' && valid_email($_POST['email'])==TRUE && strlen($_POST['comment'])>1)
{
$to = preg_replace("([\r\n])", "", hexstr($_POST['receiver']));
$from = preg_replace("([\r\n])", "", $_POST['email']);
$subject = "Website contact message from ".$_POST['name'];
$message = $_POST['comment'];
$match = "/(bcc:|cc:|content\-type:)/i";
if (preg_match($match, $to) ||
preg_match($match, $from) ||
preg_match($match, $message)) {
die("Header injection detected.");
}
$headers = "From: ".$from."\r\n";
$headers .= "Reply-to: ".$from."\r\n";
if(wp_mail($to, $subject, $message, $headers,'',true))
{
echo 1; //SUCCESS
}
else {
echo 2; //FAILURE - server failure
}
}
else {
echo 3; //FAILURE - not valid email
}
}else{
die("Direct access not allowed!");
}
function hexstr($hexstr) {
$hexstr = str_replace(' ', '', $hexstr);
$hexstr = str_replace('\x', '', $hexstr);
$retstr = pack('H*', $hexstr);
return $retstr;
}
?>
The issue is that this does not know of wp_mail function. I know that I need to include something so wp_mail will be available but what do I add? The function does exist. The issue with including the file that has wp_mail defined is that inside that function it requires some core php functions (wp_mail is being overwritten by cimy_swift plugin)
hi why not try just submitting the form to the base wpurl? then within your header.php file copy and paste your code in?
ie: using a hidden field you can check to see if its been posts, in this case the hidden field is called 'action' and it has a value of 'sendemail'.
form
<form id="contact" action="<?php bloginfo('wpurl'); ?>" method="post">
//form stuff
<input type="hidden" name="action" value="sendemail" />
</form>
Header.php
within the header file we do a call to check and see if the form has been posted,
<html>
<head>
<title><?php wp_title();?></title>
<?php
if( isset($_POST['action']) && ($_POST['action']=='sendemail') ) {
// run your code
}
?>
</head>
if you dont want to go down that route, and wish to use your theme folder to hold the php script then what to is, include the below in your sendmail.php file
define('WP_USE_THEMES', FALSE);
require('../../../wp-blog-header.php');
//above is assuming your file is located in the theme root, not a sub folder.
this will give you access to all the wordpress functions and shortcodes etc..etc..
hope that helps a little..
Marty
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP: “Notice: Undefined variable” and “Notice: Undefined index”
I am new to PHP and playing around with it. I have following code in my php file.
$output = "<div style='display:none'>
<div class='contact-top'></div>
<div class='contact-content'>
<h1 class='contact-title' style='text-align:center'>Write a Testimonial:</h1>
<div class='contact-loading' style='display:none'></div>
<div class='contact-message' style='display:none'></div>
<form action='#' style='display:none'>
<label for='contact-name'>*Name:</label>
<input type='text' id='contact-name' class='contact-input' name='name' tabindex='1001' />
<label for='contact-email'>*Email:</label>
<input type='text' id='contact-email' class='contact-input' name='email' tabindex='1002' />";
if ($extra["form_subject"]) {
$output .= "
<label for='contact-subject'>Subject:</label>
<input type='text' id='contact-subject' class='contact-input' name='subject' value='' tabindex='1003' />";
}
$output .= "
<label for='contact-message'>*Message:</label>
<textarea id='contact-message' class='contact-input' name='message' cols='40' rows='4' tabindex='1004'></textarea>
<br/>";
if ($extra["form_cc"]) {
$output .= "
<label> </label>
<input type='checkbox' id='contact-cc' name='cc' value='1' tabindex='1005' /> <span class='contact-cc'>Send me a copy</span>
<br/>";
}
$output .= "
<label> </label>
<button type='submit' class='contact-send contact-button' tabindex='1006'>Send</button>
<button type='submit' class='contact-cancel contact-button simplemodal-close' tabindex='1007'>Cancel</button>
<br/>
<input type='hidden' name='token' value='" . smcf_token($to) . "'/>
</form>
</div>
</div>";
echo $output;
When I am trying to run the code, though the model box is appearing but it also showing a php error.
below is the error message I am getting
Notice: Undefined index: form_cc in F:\wamp\www\blog\wordpress\wp-content\plugins\demo\contact.php on line 56
Any idea what is going wrong?
Because the array extra has no index called form_cc. Do a var_dump of the array extra, so you can see where your problem lies. Also use the isset() and empty() methods.
Simple, it seems that you do not have a definition of this index in the array, in this case, it seems that you are not getting the value of input
In this case simply use:
if (!empty($extra["form_cc"])) {
...
}
empty() will check existence of key/index in the array and also whether value is set or not.
The problem is that in the $extra array you haven't a position (index) called "form_cc". Thus, you should use
if (! empty($extra["form_cc"]))
{
// do stuff
}
if (isset($extra["form_cc"])) {
...
}
Will remove the warning message, this is a good habit to check isset()