[wp-hackers] Rethinking check_admin_referer()

John Joseph Bachir jjb at ibiblio.org
Mon Apr 17 14:32:38 GMT 2006

On Mon, 17 Apr 2006, Mark Jaquith wrote:

> 1) function wp_secure_form($key='') { }

> This function would echo out a hidden from input with an md5 hash 
> computed on (a) the database password, (b) the userid, and (c) the 
> optional key.

> 2) function wp_check_form($key='') { }
> This would just compare the computed hash against $_POST 
> ['wp_secure_form_key']; or something.

This is precisely what I have done with Lyceum. The relevant functions are 
in this file starting at line 115:


Every form or administrative link in the system is given a token:

function tokeninput($targetscript, $action='default', $id=0){
 	$token = formtoken($targetscript, $action, $id);
 	return "<input type=\"hidden\" name=\"token\" value=\"$token\" />";

And is validated at the receiving end:

function validateToken( $token, $targetscript, $action='default', $id=0 ){
 	if (!tokenIsValid( $token, $targetscript, $action, $id ))

The tokens are specific to a logged-in user, and expire after a set time. 
After they are validated, they are deleted. The timeout feature of this 
needs a bit of refinement, because right now if someone edits a post for 
more than the timeout time, they will loose their post. But overall I am 
very happy with how this system fits into the rest of my code.

Right now the tokens are being managed with a php session, but they could 
also be put into the database if y'all don't like using sessions (as an 
aside, why is authentication done directly with cookies instead of with 

aim/yim/msn/jabber.org: johnjosephbachir

More information about the wp-hackers mailing list