Home Forums Backend Issues (wp-admin) Checking nonce when validating field


Checking nonce when validating field

  • We have a number of ACF admin fields, and use acf/validate_value to validate many of these.

    We’re also in the process of applying WordPress Coding Standards to much of our code, and we’re coming up against “Processing form data without nonce verification” errors.

    A typical code sample we’re attempting to apply this to is below – you can see where the check_admin_referer() function is being called; this is where I’d expect to place the nonce action.

    Is there an ACF nonce-action I should be verifying against? Should I be creating my own? Apologies if this is documented, I’ve not be able to source it.

    public static function validate_start_date( $valid, $value, $field, $input ) {
    		if ( ! $valid ) {
    			return $valid; }
    		if ( ! empty( $_POST ) && check_admin_referer( ??? ) ) {
    			$submitted_post_type = '';
    			$submitted_post_id   = 0;
    			if ( isset( $_POST['post_type'] ) ) {
    				$submitted_post_type = sanitize_text_field( wp_unslash( $_POST['post_type'] ) );
    			if ( isset( $_POST['post_ID'] ) ) {
    				$submitted_post_id = (int) $_POST['post_ID'];
    			$date_in_use = self::check_single_ad_date( $value, $submitted_post_type, $submitted_post_id );
    			if ( $date_in_use ) {
    				$valid = 'This date clashes with an existing campaign';
    		return $valid;
  • ACF validates its own nonce before the hook acf/validate_value is run. There should be no need to do your own nonce validation when using this hook.

  • Thanks John, much appreciated!
    I’ll check the WordPress Coding Standards for “ignore” rules for this kind of false positive error reporting.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.