sanitize_file_name( string $filename ): string

Sanitizes a filename, replacing whitespace with dashes.

Contents

Description

Removes special characters that are illegal in filenames on certain operating systems and special characters requiring special escaping to manipulate at the command line. Replaces spaces and consecutive dashes with a single dash. Trims period, dash and underscore from beginning and end of filename. It is not guaranteed that this function will return a filename that is allowed to be uploaded.

Top ↑

Parameters

$filename string Required
The filename to be sanitized.

Top ↑

Return

string The sanitized filename.

Top ↑

More Information

The special characters are passed through the sanitize_file_name_chars filter before removing them from the file name, allowing plugins to change which characters are considered invalid. After sanitize_file_name() has done its work, it passes the sanitized file name through the sanitize_file_name filter.

Top ↑

Source

File: wp-includes/formatting.php. View all references 

function sanitize_file_name( $filename ) {
	$filename_raw = $filename;
	$filename     = remove_accents( $filename );

	$special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', '’', '«', '»', '”', '“', chr( 0 ) );

	// Check for support for utf8 in the installed PCRE library once and store the result in a static.
	static $utf8_pcre = null;
	if ( ! isset( $utf8_pcre ) ) {
		// phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
		$utf8_pcre = @preg_match( '/^./u', 'a' );
	}

	if ( ! seems_utf8( $filename ) ) {
		$_ext     = pathinfo( $filename, PATHINFO_EXTENSION );
		$_name    = pathinfo( $filename, PATHINFO_FILENAME );
		$filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext;
	}

	if ( $utf8_pcre ) {
		$filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
	}

	/**
	 * Filters the list of characters to remove from a filename.
	 *
	 * @since 2.8.0
	 *
	 * @param string[] $special_chars Array of characters to remove.
	 * @param string   $filename_raw  The original filename to be sanitized.
	 */
	$special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );

	$filename = str_replace( $special_chars, '', $filename );
	$filename = str_replace( array( '%20', '+' ), '-', $filename );
	$filename = preg_replace( '/\.{2,}/', '.', $filename );
	$filename = preg_replace( '/[\r\n\t -]+/', '-', $filename );
	$filename = trim( $filename, '.-_' );

	if ( ! str_contains( $filename, '.' ) ) {
		$mime_types = wp_get_mime_types();
		$filetype   = wp_check_filetype( 'test.' . $filename, $mime_types );
		if ( $filetype['ext'] === $filename ) {
			$filename = 'unnamed-file.' . $filetype['ext'];
		}
	}

	// Split the filename into a base and extension[s].
	$parts = explode( '.', $filename );

	// Return if only one extension.
	if ( count( $parts ) <= 2 ) {
		/** This filter is documented in wp-includes/formatting.php */
		return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
	}

	// Process multiple extensions.
	$filename  = array_shift( $parts );
	$extension = array_pop( $parts );
	$mimes     = get_allowed_mime_types();

	/*
	 * Loop over any intermediate extensions. Postfix them with a trailing underscore
	 * if they are a 2 - 5 character long alpha string not in the allowed extension list.
	 */
	foreach ( (array) $parts as $part ) {
		$filename .= '.' . $part;

		if ( preg_match( '/^[a-zA-Z]{2,5}\d?$/', $part ) ) {
			$allowed = false;
			foreach ( $mimes as $ext_preg => $mime_match ) {
				$ext_preg = '!^(' . $ext_preg . ')$!i';
				if ( preg_match( $ext_preg, $part ) ) {
					$allowed = true;
					break;
				}
			}
			if ( ! $allowed ) {
				$filename .= '_';
			}
		}
	}

	$filename .= '.' . $extension;

	/**
	 * Filters a sanitized filename string.
	 *
	 * @since 2.8.0
	 *
	 * @param string $filename     Sanitized filename.
	 * @param string $filename_raw The filename prior to sanitization.
	 */
	return apply_filters( 'sanitize_file_name', $filename, $filename_raw );
}

View on Trac View on GitHub

Top ↑

Hooks

Top ↑

Top ↑

Uses

Uses
Uses Description
sanitize_title_with_dashes() wp-includes/formatting.php

Sanitizes a title, replacing whitespace and a few other characters with dashes.
remove_accents() wp-includes/formatting.php

Converts all accent characters to ASCII characters.
seems_utf8() wp-includes/formatting.php

Checks to see if a string is utf8 encoded.
wp_get_mime_types() wp-includes/functions.php

Retrieves the list of mime types and file extensions.
wp_check_filetype() wp-includes/functions.php

Retrieves the file type from the file name.
get_allowed_mime_types() wp-includes/functions.php

Retrieves the list of allowed mime types and file extensions.
apply_filters() wp-includes/plugin.php

Calls the callback functions that have been added to a filter hook.
Show 2 more uses Hide more uses

Top ↑

Used By

Used By
Used By Description
wp_ajax_crop_image() wp-admin/includes/ajax-actions.php

Handles cropping an image via AJAX.
File_Upload_Upgrader::__construct() wp-admin/includes/class-file-upload-upgrader.php

Construct the upgrader for a form.
download_url() wp-admin/includes/file.php

Downloads a URL to a local temporary file using the WordPress HTTP API.
wp_unique_filename() wp-includes/functions.php

Gets a filename that is sanitized and unique for the given directory.
wp_xmlrpc_server::mw_newMediaObject() wp-includes/class-wp-xmlrpc-server.php

Uploads a file, following your settings.

Top ↑

Changelog

Changelog
Version Description
2.1.0 Introduced.

Top ↑

User Contributed Notes

  1. Skip to note 1 content
    You must log in to vote on the helpfulness of this noteVote results for this note: 0You must log in to vote on the helpfulness of this note
    Contributed by Muhammad Jawad Abbasi

    When you write any special characters in a filename like brackets, commas etc then that function sanitize_file_name() automatically remove from that file name.

    For Example:

    <?php
$sanfilename = sanitize_file_name('[test],.php');
echo $sanfilename;
?>

    In above code use bracket and comma after that sanitize_file_name() function remove bracket and comma then show final result is test.php

You must log in before being able to contribute a note or feedback.