{"id":7405,"date":"2014-06-12T03:11:10","date_gmt":"2014-06-12T03:11:10","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/06\/12\/security-ajax-nonce-use-collection-of-common-programming-errors\/"},"modified":"2014-06-12T03:11:10","modified_gmt":"2014-06-12T03:11:10","slug":"security-ajax-nonce-use-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/06\/12\/security-ajax-nonce-use-collection-of-common-programming-errors\/","title":{"rendered":"Security &#8211; Ajax &amp; Nonce use-Collection of common programming errors"},"content":{"rendered":"<ul>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/74ed58457a9b1cb04f854ae5ca531ca5?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nCam<\/p>\n<p>I&#8217;m developing a site which posts a number of ajax calls from jquery to PHP and returns data from PhP to jquery.<\/p>\n<p>Everything is working, but i&#8217;d to know if my approach to handling the calls is ok, in regard to security and if theres any further security measures i could take or keep in mind.<\/p>\n<p>To run through my process;<\/p>\n<p><strong>functions.php file<\/strong><\/p>\n<ol>\n<li>\n<p>Setup wp_localize_script() &amp; passed it the variables for ajax url and nonce &#8211;<\/p>\n<pre><code> wp_localize_script( 'main', 'WP', array( \n     'AJAX_URL' =&gt; admin_url( 'admin-ajax.php'), \n     'NONCE' =&gt; wp_create_nonce( 'ajax_custom_nonce' ) \n )); \n<\/code><\/pre>\n<\/li>\n<\/ol>\n<p><strong>myscript.js file<\/strong><\/p>\n<ol>\n<li>\n<p>In my js file i&#8217;ve sent my post request using jquery;<\/p>\n<pre><code>$.ajax({\n    type : \"post\",\n    url: WP.AJAX_URL,\n    data: ({action : 'request_handler', \n        id : 'content_id',   \n        nonce : WP.NONCE }),\n    success: function(data) {}\n})\n<\/code><\/pre>\n<\/li>\n<\/ol>\n<p><strong>ajax.php file<\/strong><\/p>\n<ol>\n<li>\n<p>ajax.php file receives ajax post, calls request_handler();<\/p>\n<pre><code>add_action(\"wp_ajax_nopriv_request_handler\", \"request_handler\");\nadd_action(\"wp_ajax_request_handler\", \"request_handler\");\n<\/code><\/pre>\n<\/li>\n<li>\n<p>request_handler() checks nonce, gets post id &amp; runs switch statement to call required function.<\/p>\n<pre><code> function request_handler() { \n     \/\/ check the nonce\n     $nonce = $_POST['nonce'];\n\n     if ( ! wp_verify_nonce( $nonce, 'ajax_custom_nonce' ) ) \n         die ('busted');\n\n    $id = $_POST['id']; \n\n    switch ($id) {\n        case 'vimeo_embed':\n            require_once(TEMPLATEPATH . '\/library\/vimeo.php'); \n            load_vimeo();  \n        break; \n        case 'popup':  \n            require_once(TEMPLATEPATH . '\/library\/popup.php'); \n            load_popup();\n        break;\n\n        ....etc\n    }\n } \n<\/code><\/pre>\n<\/li>\n<\/ol>\n<p>thanks<\/p>\n<\/li>\n<li><img decoding=\"async\" src=\"http:\/\/www.gravatar.com\/avatar\/cd461ffbf431f9f0d60b5be66736c08f?s=32&amp;d=identicon&amp;r=PG\" \/><br \/>\nMickle Foretic<\/p>\n<p>The code seems fine, I guess the only thing to watch for, is how you handle unexpected values of $id, i guess a default would work fine in that switch.<\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Cam I&#8217;m developing a site which posts a number of ajax calls from jquery to PHP and returns data from PhP to jquery. Everything is working, but i&#8217;d to know if my approach to handling the calls is ok, in regard to security and if theres any further security measures i could take or keep [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7405","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/7405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=7405"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/7405\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=7405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=7405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=7405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}