Tell us what you are trying to do? I am using cred_save_data but need to know if i should check nonce from my end or toolset safely handles that on it's own?. Also i am planning to use custom file upload, not the default wordpress media upload method that toolset offers. For that i am changing the toolset form enctype to multipart/form-data using javascript so that $_FILES works. It works for me but wanted to know if there is any native method present in toolset that allow this?
Is there any documentation that you are following?
Tell us what you are trying to do? I am using cred_save_data but need to know if i should check nonce from my end or toolset safely handles that on it's own?
Forms validates several different nonces in different ways, can you be more specific about which nonce you want to check, and for what purpose? I can ask my developers if you have a specific question about nonce validation during the cred_save_data hook.
For that i am changing the toolset form enctype to multipart/form-data using javascript so that $_FILES works. It works for me but wanted to know if there is any native method present in toolset that allow this?
Usually the enctype will automatically be set to multipart/form-data if you include any image custom field, custom file field, or a featured image, or a generic image or generic file field in the Form. You could include a generic image field in the Form, give it some generic field slug, and hide it with CSS if you'd like, and that would force the mutlipart/form-data enctype in the generated form element. I'm not aware of any other JavaScript API available to force the enctype attribute as you've described other than including some field that would require a file input by default.
Thank you for the reply.
I want to know if i need to use wp_verify_nonce() inside cred_save_data?
I am uploading a file inside cred_save_data using $_FILES and want to be sure if I need to use wp_verify_nonce() here or it's already validated.
I think not, because none of our example code implements such code. I will verify with my 2nd tier support team and give you an update as soon as I can. Please stand by for some feedback.
Let me ask you directly for clarification, because I don't understand your question.
In particular, I don't understand what "I am uploading a file inside cred_save_data using $_FILES" means.
The $_FILES global variable provides information about uploaded files, it isn't a way to upload a file. If you are using the cred_save_data hook to trigger some other custom code that is used to initiate a file upload that didn't come from the Toolset form the cred_save_data belongs to, then I can't really comment on that code or process.
What I can say is that if you disable the WP Media Library setting in a Toolset form, and your form includes a file field, then when a user submits the form the file will be uploaded as part of that form submission (and details of the file will be available in the $_FILES global in the Forms API hooks). This form submission is already protected by WordPress nonces by the time you arrive at the cred_save_data hook.
