Support » Plugins » Hacks » Is creating a nonce token for custom meta_box redundant?

  • Hello.
    Just as explained at Codex page for a function “add_meta_box”, I added custom meta_box for a certain custom post type , like the following(using php5.3);

    add_action("add_meta_boxes_somepost_type", function(){
      add_meta_box("HooHoo","hoo", function($post){
        //render hidden input field for nonce
        //render some <input> or <select>elements...
    add_action("save_post", function($post_id, $post){
      //verify nonce
      //and, verify anything else...
      add_post_meta($post_id, "hoo", sanitize_text_field($_POST["hoodata"]),true);

    Also the example code shown at Codex Page, a callback for “add_meta_box” creates a special nonce token (at the above code(*)) and an action hooked into “save_post” verifies the token. But a default nonce token “_wpnonce” is also created and is verified before executing save_post action by a function “check_admin_referer” and consequently verification for CSRF is nealy completed before verifying the special nonce created at meta_box. I think it redundant to create and check a nonce token peculiar for a certain plugin.
    Anyone knows reasons for creating such a nonce at meta_box?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz


    I’m not sure of this, but I believe this is because the ‘save_post’ action can fire for a number of reasons, some of which there may not be a meta box value to save in $_POST, resulting in an error when the code tries to access it. The nonce confirms the form existed for the particular action that fired.

    It would probably suffice to use array_key_exists() for this purpose because, as you pointed out, the security issues relating to nonce use are handled by the main form handler. In this case, I think the nonce is merely a flag for “safe to save value” as opposed to it’s normal use as “POST request is legitimate”.

    This is just my opinion. I speak with no special authority or knowledge of the Codex author’s intent.

    Thank you for your opinion!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Is creating a nonce token for custom meta_box redundant?’ is closed to new replies.