I'd like to automate some administrative task for myself on my wpmu install. For example, I'm trying to write php curl script for logging in and adding a new blog. So i'm already logged in via curl and now i want to post form that's in wpmu-blogs.php but it has hidden wp nonce field. How do i get this value into variable? I checked source but there are more than one wp nonce hidden fields. I'm assuming that there are different nonce values for different tasks on different forms. How do i get the one i need - for adding new blog?
+2
A:
The point of a nonce is to protect against a cross site forgery attack. Because of this, a new nonce value is going to be generated on a regular basis. If the nonce was predictable, it wouldn't be effective.
To post to a nonce enabled form using curl, you'd need to
Turn on all cookie handling options (both saving cookies to a cookie jar, and sending cookies in the saved cookie jar)
Make a request to the page that contains your form
Using regular expressions or an HTML/XHTML parsing library, pull out the nonce value you want
With that value in hand, post to the page you want, sending the nonce along
This kind of programming can be tedious. You're essentially trying to emulate a web browser. It's doable, but you may want to consider
Looking into the Wordpress XML-RPC API. This is the supported way of doing the kind of things you're trying to automate with CURL, and will be much more straight forward once you climb the learning curve.
There's also the AtomPub API. AtomPub is, in part, an attempt to come up with a standard way of performing common actions to weblogs and personal publishing sites. The advantage is, in theroy, scripts written for one system (Wordpress) will work on another system (MovableType). The disadvantage is AtomPub features tend to lag behind/differ from features supported in each engine's custom API.
Finally, if you're not up for leaning either API, you might want to give Selenium a try. Selenium IDE will allow you to script Firefox and have the nonce handled automatically, since you're actually using a browser to visit each page.
Alan Storm
2009-09-07 00:55:57
so any ideas how do i scrape none? with regular expressions or something else? my problem is that there are two identical parts of code with different nonces on the same page so i'm not sure how do i get the one i want - by better scraping or api?
Phil
2009-09-07 00:59:00
btw security aside, it would help if i were able to edit my own site ;)
Phil
2009-09-07 01:09:36
Each form field will have a different name or id, so key off of that.
Alan Storm
2009-09-08 17:53:26
A:
you can also use greasemonkey to script your firefox.
This addon permit to customize webpage and do some action using javascript.
RageZ
2009-09-07 01:02:28