Do I need a nonce field for every meta box I add to my custom post type admin?

The question:

I’m currently working on the admin page of my custom post type, and I got stuck on deciding whether to add a nonce field again for the second metabox or not. I’m very new to custom post types, and searching online about this doesn’t really yield that many results.

Any thoughts? Thanks.

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

I would recommend so.

You do (and should) have your own nonce with which to check the origin of the data and the intent of the user. If you have just one nonce for a metabox – then you run into problems if that metabox is removed (not the same as hidden). If removed the second metabox will (or at least should) never save since the nonce is longer sent.

Of course from a security point of view, nothing is added by a second nonce – unless you ever wish to only update one metabox and not the other: nonces should be unique to the action.


Edit

As pointed out there is only one form for the post edit screen. So, in theory, you only need one nonce field with which to validate the action and the origin of the data. However, since metaboxes can be removed – by having a nonce field in only one metabox there is no guarantee the nonce will be there. By placing a nonce field in each metabox you can check if data from that metabox has been sent (and is actually from where you think it is) prior to processing any data. E.g:

save_post_call_back($post_id){

  //Check this is not an auto-save route

  if(nonce of metabox1 present and valid){
     //Process data from metabox1
  }else{
    //Either metabox removed - or invalid nonce. Take no action.
  }

  if(nonce of metabox2 present and valid){
     //Process data from metabox2
  }else{
    //Either metabox removed - or invalid nonce. Take no action.
  }

}

The name of the nonce field should be unique to the metabox (and not clash with any other nonces that are present on the form from other plug-ins).

The nonce value should be unique to the action (and this generally should include the origin of the data (e.g. edit-post as opposed to quick-edit)). I generally include the post ID too.

Method 2

You could also hook the submit box that never dissapears adding the nonce field to it

add_action( 'post_submitbox_start', 'theme_submitdiv_extra' );
function theme_submitdiv_extra()
{
  wp_nonce_field( 'theme_meta_box_nonce', 'meta_box_nonce' );
}

Then, in your save_post action:

if( !isset( $_POST['meta_box_nonce'] ) || !wp_verify_nonce( $_POST['meta_box_nonce'], 'theme_meta_box_nonce' ) ) return;

Method 3

The nonce field is used to validate that the contents of the form came from the location on the current site and not somewhere else.

codex: wp_nonce_field

only one nonce field per form is required, use more that one as not sense for me.

maybe you can investigate and use check_admin_referer() to be sure your request is from an admin page

Method 4

In WP 3.5.2 The whole edit page is wrapped in a form-tag so you should NOT add your own form-tags !! If still do that and try to add another separate custom meta box it will fail when saving and only lead you to wp-admin home when trying to save!!

Also Do NOT add the NONCE field either as there is only supposed to be one per form (this also might make it fail!!) And the page edit already has a nonce field!

Edit:

The thing is 1) since there is only one Form-tag for the whole edit screen, as the correct answer author has admitted, and 2) it automatically has an nonce added to it. Why would you have to add more? It will always have the nonce no matter what…

The intent is in my view to edit the page by content or meta data eg. one nonce field… Also when I tried to add more it doesn’t even work with multiple meta-boxes!! One will work and the other will fail and only redirect the user to wp-admin home!


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment