WP nonce verification

时间:2018-11-19 作者:Demonix

我正忙着通过Travis测试插件,剩下的问题只有:

Processing form data without nonce verification

这似乎与这一行动有关:

/***处理来自PayFast的呼叫以告知下达订单的操作已完成*/

function payfast_ipn() {
$give_options = give_get_settings();

if ( isset( $_REQUEST[\'m_payment_id\'] ) ) {

    if ( give_is_test_mode() ) {
        $pf_host = \'https://sandbox.payfast.co.za/eng/query/validate\';
        give_insert_payment_note( $_REQUEST[\'m_payment_id\'], \'ITN callback has been triggered.\' );
    } else {
        $pf_host = \'https://www.payfast.co.za/eng/query/validate\';
    }

    $pf_error         = false;
    $pf_param_string  = \'\';
    $validate_string  = \'\';

    if ( ! $pf_error ) {
        // Strip any slashes in data.
        foreach wp_verify_nonce( $_POST as $key => $val ) {
            $_POST[ $key ] = stripslashes( $val );
        }
        foreach ( $_POST as $key => $val ) {
            if ( \'signature\' != $key ) {
                $pf_param_string .= $key . \'=\' . urlencode( $val ) . \'&\';
            }
        }
        $pf_param_string = substr( $pf_param_string, 0, - 1 );
        $validate_string = $pf_param_string;
        if ( isset( $give_options[\'payfast_pass_phrase\'] ) ) {
            $pass_phrase = trim( $give_options[\'payfast_pass_phrase\'] );
            if ( ! empty( $pass_phrase ) ) {
                $pf_param_string .= \'&pass_phrase=\' . urlencode( $pass_phrase );
            }
        }
    }
    $signature = md5( $pf_param_string );

    if ( give_is_test_mode() ) {
        // translators:
        give_insert_payment_note( $_REQUEST[\'m_payment_id\'], sprintf( __( \'Signature Returned %1$s. Generated Signature %2$s.\', \'payfast_give\' ), $_POST[\'signature\'], $signature ) );
    }

    if ( $signature != $_POST[\'signature\'] ) {
        $pf_error = \'SIGNATURE\';
        $error   = array(
            \'oursig\' => $signature,
            \'vars\'   => $_POST,
        );
    }

    if ( ! $pf_error ) {
        $valid_hosts = array(
            \'www.payfast.co.za\',
            \'sandbox.payfast.co.za\',
            \'w1w.payfast.co.za\',
            \'w2w.payfast.co.za\',
        );

        $valid_ips  = array();
        $sender_ip = payfast_get_realip();
        foreach ( $valid_hosts as $pf_hostname ) {
            $ips = gethostbynamel( $pf_hostname );

            if ( false !== $ips ) {
                $valid_ips = array_merge( $valid_ips, $ips );
            }
        }

        $valid_ips = array_unique( $valid_ips );

        if ( ! in_array( $sender_ip, $valid_ips ) ) {
            $pf_error = array(
                \'FROM\'  => $sender_ip,
                \'VALID\' => $valid_ips,
            );
        }
    }

    /*
    * If it fails for any reason, add that to the order.
    */
    if ( false !== $pf_error ) {
        // translators:
        give_insert_payment_note( $_POST[\'m_payment_id\'], sprintf( __( \'Payment Failed. The error is %s.\', \'payfast_give\' ), print_r( $pf_error, true ) ) );
    } else {

        $response = wp_remote_post(
            $pf_host, array(
                \'method\'      => \'POST\',
                \'timeout\'     => 60,
                \'redirection\' => 5,
                \'httpversion\' => \'1.0\',
                \'blocking\'    => true,
                \'headers\'     => array(),
                \'body\'        => $validate_string,
                \'cookies\'     => array(),
            )
        );

        if ( give_is_test_mode() ) {
            give_insert_payment_note(
                $_POST[\'m_payment_id\'], sprintf(
                    // translators:
                    __( \'PayFast ITN Params - %1$s %2$s.\', \'payfast_give\' ), $pf_host, print_r(
                        array(
                            \'method\'      => \'POST\',
                            \'timeout\'     => 60,
                            \'redirection\' => 5,
                            \'httpversion\' => \'1.0\',
                            \'blocking\'    => true,
                            \'headers\'     => array(),
                            \'body\'        => $validate_string,
                            \'cookies\'     => array(),
                        ), true
                    )
                )
            );
            // translators:
            give_insert_payment_note( $_POST[\'m_payment_id\'], sprintf( __( \'PayFast ITN Response. %s.\', \'payfast_give\' ), print_r( $response[\'body\'], true ) ) );
        }

        if ( ! is_wp_error( $response ) && ( $response[\'response\'][\'code\'] >= 200 || $response[\'response\'][\'code\'] < 300 ) ) {
            $res = $response[\'body\'];
            if ( false == $res ) {
                $pf_error = $response;

            }
        }
    }

    if ( ! $pf_error ) {
        $lines = explode( "\\n", $res );
    }

    if ( ! $pf_error ) {
        $result = trim( $lines[0] );

        if ( strcmp( $result, \'VALID\' ) === 0 ) {
            if ( \'COMPLETE\' == $_POST[\'payment_status\'] ) {

                if ( ! empty( $_POST[\'custom_str2\'] ) ) {
                    $subscription = new Give_Subscription( $_POST[\'custom_str2\'], true );
                    // Retrieve pending subscription from database and update it\'s status to active and set proper profile ID.
                    $subscription->update(
                        array(
                            \'profile_id\' => $_POST[\'token\'],
                            \'status\'     => \'active\',
                        )
                    );
                }
                give_set_payment_transaction_id( $_POST[\'m_payment_id\'], $_POST[\'pf_payment_id\'] );
                // translators:
                give_insert_payment_note( $_POST[\'m_payment_id\'], sprintf( __( \'PayFast Payment Completed. The Transaction Id is %s.\', \'payfast_give\' ), $_POST[\'pf_payment_id\'] ) );
                give_update_payment_status( $_POST[\'m_payment_id\'], \'publish\' );

            } else {
                // translators:
                give_insert_payment_note( $_POST[\'m_payment_id\'], sprintf( __( \'PayFast Payment Failed. The Response is %s.\', \'payfast_give\' ), print_r( $response[\'body\'], true ) ) );
            }
        }
    }
}
}
add_action( \'wp_head\', \'payfast_ipn\' );
如何添加WP Nonce?发现很难应用。

1 个回复
SO网友:Fencer04

如果这是来自表单,则可以使用以下代码将nonce添加到表单中:

// Create an nonce, and add it as a query var in a link to perform an action.
$nonce = wp_create_nonce( \'my-nonce\' );

<form action=\'youraction?_wpnonce=<?php echo $nonce?>\'>
    <!-- Form Contents -->
</form>
然后,您可以将其添加到处理表单的位置:

$nonce = $_REQUEST[\'_wpnonce\'];

if ( ! wp_verify_nonce( $nonce, \'my-nonce\' ) ) {

     die( \'Security check\' ); 

} else {

     // Do stuff here.
}

结束
标签: plugins   coding-standards   小码农  

相关推荐

PLUGINS_LOADED操作工作不正常

我试图在表单提交后向用户发送电子邮件,但出现错误Call to undefined function wp_mail() in C:\\xampp\\htdocs\\wordpress\\wp-content\\plugins\\contact form\\contact-form-plugin.php on line 46<我在谷歌上搜索了一下,发现它与add_action( \'plugins_loaded\', \'functionShowForm\' );.我在代码中添加了这一行,但它在主窗