check_ajax_referer( int|string $action = -1, false|string $query_arg = false, bool $die = true ): int|false
Verifies the Ajax request to prevent processing requests external of the blog.
Parameters
$actionint|string Optional-
Action nonce.
Default:
-1 $query_argfalse|string Optional-
Key to check for the nonce in
$_REQUEST(since 2.5). If false,$_REQUESTvalues will be evaluated for'_ajax_nonce', and'_wpnonce'(in that order).Default:
false $diebool Optional-
Whether to die early when the nonce cannot be verified.
Default:
true
Return
int|false 1 if the nonce is valid and generated between 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
False if the nonce is invalid.
More Information
Nonces should never be relied on for authentication, authorization, or access control. Protect your functions using current_user_can() and always assume that nonces can be compromised.
This function can be replaced via plugins. If plugins do not redefine these functions, then this will be used instead.
If $query_arg is not specified (i.e. defaults to false), then the function will look for the nonce in '_ajax_nonce'. If that is not set, then it will assume that the nonce is in '_wpnonce', regardless of whether that query arg actually exists.
If $die is set to true, execution of the script will be stopped if the nonce cannot be verified, and the output will be '-1'.
Source
File: wp-includes/pluggable.php. View all references
function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) {
if ( -1 == $action ) {
_doing_it_wrong( __FUNCTION__, __( 'You should specify an action to be verified by using the first parameter.' ), '4.7.0' );
}
$nonce = '';
if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) ) {
$nonce = $_REQUEST[ $query_arg ];
} elseif ( isset( $_REQUEST['_ajax_nonce'] ) ) {
$nonce = $_REQUEST['_ajax_nonce'];
} elseif ( isset( $_REQUEST['_wpnonce'] ) ) {
$nonce = $_REQUEST['_wpnonce'];
}
$result = wp_verify_nonce( $nonce, $action );
/**
* Fires once the Ajax request has been validated or not.
*
* @since 2.1.0
*
* @param string $action The Ajax nonce action.
* @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between
* 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago.
*/
do_action( 'check_ajax_referer', $action, $result );
if ( $die && false === $result ) {
if ( wp_doing_ajax() ) {
wp_die( -1, 403 );
} else {
die( '-1' );
}
}
return $result;
}
Hooks
- do_action( 'check_ajax_referer',
string $action ,false|int $result ) -
Fires once the Ajax request has been validated or not.
Related
Uses
| Uses | Description |
|---|---|
| wp_doing_ajax() wp-includes/load.php | Determines whether the current request is a WordPress Ajax request. |
| wp_verify_nonce() wp-includes/pluggable.php | Verifies that a correct security nonce was used with time limit. |
| __() wp-includes/l10n.php | Retrieves the translation of $text. |
| _doing_it_wrong() wp-includes/functions.php | Marks something as being incorrectly called. |
| wp_die() wp-includes/functions.php | Kills WordPress execution and displays HTML page with an error message. |
| do_action() wp-includes/plugin.php | Calls the callback functions that have been added to an action hook. |
Used By
| Used By | Description |
|---|---|
| wp_ajax_send_password_reset() wp-admin/includes/ajax-actions.php | Ajax handler sends a password reset link. |
| wp_ajax_toggle_auto_updates() wp-admin/includes/ajax-actions.php | Ajax handler to enable or disable plugin and theme auto-updates. |
| wp_ajax_media_create_image_subsizes() wp-admin/includes/ajax-actions.php | Ajax handler for creating missing image sub-sizes for just uploaded images. |
| wp_ajax_health_check_get_sizes() wp-admin/includes/ajax-actions.php | Ajax handler for site health check to get directories and database sizes. |
| wp_ajax_health_check_dotorg_communication() wp-admin/includes/ajax-actions.php | Ajax handler for site health checks on server communication. |
| wp_ajax_health_check_background_updates() wp-admin/includes/ajax-actions.php | Ajax handler for site health checks on background updates. |
| wp_ajax_health_check_loopback_requests() wp-admin/includes/ajax-actions.php | Ajax handler for site health checks on loopback requests. |
| wp_ajax_health_check_site_status_result() wp-admin/includes/ajax-actions.php | Ajax handler for site health check to update the result status. |
| wp_ajax_wp_privacy_export_personal_data() wp-admin/includes/ajax-actions.php | Ajax handler for exporting a user’s personal data. |
| wp_ajax_wp_privacy_erase_personal_data() wp-admin/includes/ajax-actions.php | Ajax handler for erasing personal data. |
| WP_Customize_Manager::handle_load_themes_request() wp-includes/class-wp-customize-manager.php | Loads themes into the theme browsing/installation UI. |
| WP_Customize_Manager::handle_override_changeset_lock_request() wp-includes/class-wp-customize-manager.php | Removes changeset lock when take over request is sent via Ajax. |
| WP_Customize_Manager::handle_dismiss_autosave_or_lock_request() wp-includes/class-wp-customize-manager.php | Deletes a given auto-draft changeset or the autosave revision for a given changeset or delete changeset lock. |
| WP_Customize_Manager::handle_changeset_trash_request() wp-includes/class-wp-customize-manager.php | Handles request to trash a changeset. |
| wp_ajax_get_community_events() wp-admin/includes/ajax-actions.php | Handles Ajax requests for community events |
| WP_Customize_Nav_Menus::ajax_insert_auto_draft_post() wp-includes/class-wp-customize-nav-menus.php | Ajax handler for adding a new auto-draft post. |
| wp_ajax_search_install_plugins() wp-admin/includes/ajax-actions.php | Ajax handler for searching plugins to install. |
| wp_ajax_delete_plugin() wp-admin/includes/ajax-actions.php | Ajax handler for deleting a plugin. |
| wp_ajax_search_plugins() wp-admin/includes/ajax-actions.php | Ajax handler for searching plugins. |
| wp_ajax_install_theme() wp-admin/includes/ajax-actions.php | Ajax handler for installing a theme. |
| wp_ajax_update_theme() wp-admin/includes/ajax-actions.php | Ajax handler for updating a theme. |
| wp_ajax_delete_theme() wp-admin/includes/ajax-actions.php | Ajax handler for deleting a theme. |
| wp_ajax_install_plugin() wp-admin/includes/ajax-actions.php | Ajax handler for installing a plugin. |
| wp_ajax_get_post_thumbnail_html() wp-admin/includes/ajax-actions.php | Ajax handler for retrieving HTML for the featured image. |
| wp_ajax_save_wporg_username() wp-admin/includes/ajax-actions.php | Ajax handler for saving the user’s WordPress.org username. |
| wp_ajax_delete_inactive_widgets() wp-admin/includes/ajax-actions.php | Ajax handler for removing inactive widgets. |
| WP_Customize_Nav_Menus::ajax_load_available_items() wp-includes/class-wp-customize-nav-menus.php | Ajax handler for loading available menu items. |
| WP_Customize_Nav_Menus::ajax_search_available_items() wp-includes/class-wp-customize-nav-menus.php | Ajax handler for searching available menu items. |
| wp_ajax_crop_image() wp-admin/includes/ajax-actions.php | Ajax handler for cropping an image. |
| wp_ajax_update_plugin() wp-admin/includes/ajax-actions.php | Ajax handler for updating a plugin. |
| Custom_Background::ajax_background_add() wp-admin/includes/class-custom-background.php | Handles Ajax request for adding custom background context to an attachment. |
| wp_ajax_save_attachment_order() wp-admin/includes/ajax-actions.php | Ajax handler for saving the attachment order. |
| wp_ajax_send_attachment_to_editor() wp-admin/includes/ajax-actions.php | Ajax handler for sending an attachment to the editor. |
| wp_ajax_send_link_to_editor() wp-admin/includes/ajax-actions.php | Ajax handler for sending a link to the editor. |
| wp_ajax_save_user_color_scheme() wp-admin/includes/ajax-actions.php | Ajax handler for auto-saving the selected color scheme for a user’s own profile. |
| wp_ajax_save_widget() wp-admin/includes/ajax-actions.php | Ajax handler for saving a widget. |
| wp_ajax_upload_attachment() wp-admin/includes/ajax-actions.php | Ajax handler for uploading attachments |
| wp_ajax_image_editor() wp-admin/includes/ajax-actions.php | Ajax handler for image editing. |
| wp_ajax_set_post_thumbnail() wp-admin/includes/ajax-actions.php | Ajax handler for setting the featured image. |
| wp_ajax_wp_fullscreen_save_post() wp-admin/includes/ajax-actions.php | Ajax handler for saving posts from the fullscreen editor. |
| wp_ajax_wp_remove_post_lock() wp-admin/includes/ajax-actions.php | Ajax handler for removing a post lock. |
| wp_ajax_save_attachment() wp-admin/includes/ajax-actions.php | Ajax handler for updating attachment attributes. |
| wp_ajax_save_attachment_compat() wp-admin/includes/ajax-actions.php | Ajax handler for saving backward compatible attachment attributes. |
| wp_ajax_add_menu_item() wp-admin/includes/ajax-actions.php | Ajax handler for adding a menu item. |
| wp_ajax_add_meta() wp-admin/includes/ajax-actions.php | Ajax handler for adding meta. |
| wp_ajax_add_user() wp-admin/includes/ajax-actions.php | Ajax handler for adding a user. |
| wp_ajax_closed_postboxes() wp-admin/includes/ajax-actions.php | Ajax handler for closed post boxes. |
| wp_ajax_hidden_columns() wp-admin/includes/ajax-actions.php | Ajax handler for hidden columns. |
| wp_ajax_update_welcome_panel() wp-admin/includes/ajax-actions.php | Ajax handler for updating whether to display the welcome panel. |
| wp_ajax_wp_link_ajax() wp-admin/includes/ajax-actions.php | Ajax handler for internal linking. |
| wp_ajax_menu_locations_save() wp-admin/includes/ajax-actions.php | Ajax handler for menu locations save. |
| wp_ajax_meta_box_order() wp-admin/includes/ajax-actions.php | Ajax handler for saving the meta box order. |
| wp_ajax_get_permalink() wp-admin/includes/ajax-actions.php | Ajax handler to retrieve a permalink. |
| wp_ajax_sample_permalink() wp-admin/includes/ajax-actions.php | Ajax handler to retrieve a sample permalink. |
| wp_ajax_inline_save() wp-admin/includes/ajax-actions.php | Ajax handler for Quick Edit saving a post from a list table. |
| wp_ajax_inline_save_tax() wp-admin/includes/ajax-actions.php | Ajax handler for quick edit saving for a term. |
| wp_ajax_find_posts() wp-admin/includes/ajax-actions.php | Ajax handler for querying posts for the Find Posts modal. |
| wp_ajax_widgets_order() wp-admin/includes/ajax-actions.php | Ajax handler for saving the widgets order. |
| _wp_ajax_add_hierarchical_term() wp-admin/includes/ajax-actions.php | Ajax handler for adding a hierarchical term. |
| wp_ajax_delete_comment() wp-admin/includes/ajax-actions.php | Ajax handler for deleting a comment. |
| wp_ajax_delete_tag() wp-admin/includes/ajax-actions.php | Ajax handler for deleting a tag. |
| wp_ajax_delete_link() wp-admin/includes/ajax-actions.php | Ajax handler for deleting a link. |
| wp_ajax_delete_meta() wp-admin/includes/ajax-actions.php | Ajax handler for deleting meta. |
| wp_ajax_delete_post() wp-admin/includes/ajax-actions.php | Ajax handler for deleting a post. |
| wp_ajax_trash_post() wp-admin/includes/ajax-actions.php | Ajax handler for sending a post to the Trash. |
| wp_ajax_delete_page() wp-admin/includes/ajax-actions.php | Ajax handler to delete a page. |
| wp_ajax_dim_comment() wp-admin/includes/ajax-actions.php | Ajax handler to dim a comment. |
| wp_ajax_add_link_category() wp-admin/includes/ajax-actions.php | Ajax handler for adding a link category. |
| wp_ajax_add_tag() wp-admin/includes/ajax-actions.php | Ajax handler to add a tag. |
| wp_ajax_get_comments() wp-admin/includes/ajax-actions.php | Ajax handler for getting comments. |
| wp_ajax_replyto_comment() wp-admin/includes/ajax-actions.php | Ajax handler for replying to a comment. |
| wp_ajax_edit_comment() wp-admin/includes/ajax-actions.php | Ajax handler for editing a comment. |
| wp_ajax_fetch_list() wp-admin/includes/ajax-actions.php | Ajax handler for fetching a list table. |
| wp_ajax_wp_compression_test() wp-admin/includes/ajax-actions.php | Ajax handler for compression testing. |
| wp_ajax_imgedit_preview() wp-admin/includes/ajax-actions.php | Ajax handler for image editor previews. |
| Custom_Image_Header::ajax_header_crop() wp-admin/includes/class-custom-image-header.php | Gets attachment uploaded by Media Manager, crops it, then saves it as a new object. Returns JSON-encoded object details. |
| Custom_Image_Header::ajax_header_add() wp-admin/includes/class-custom-image-header.php | Given an attachment ID for a header image, updates its “last used” timestamp to now. |
| Custom_Image_Header::ajax_header_remove() wp-admin/includes/class-custom-image-header.php | Given an attachment ID for a header image, unsets it as a user-uploaded header image for the active theme. |
| Custom_Background::wp_set_background_image() wp-admin/includes/class-custom-background.php | |
| WP_Customize_Manager::save() wp-includes/class-wp-customize-manager.php | Handles customize_save WP Ajax request to save/update a changeset. |
| WP_Customize_Manager::setup_theme() wp-includes/class-wp-customize-manager.php | Starts preview and customize theme. |
| WP_Customize_Widgets::wp_ajax_update_widget() wp-includes/class-wp-customize-widgets.php | Updates widget settings asynchronously. |
Changelog
| Version | Description |
|---|---|
| 2.0.3 | Introduced. |
© 2003–2022 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/check_ajax_referer