Title: sanitize_option Published: April 25, 2014 Last modified: February 24, 2026 --- # sanitize_option( string $option, mixed $value ): mixed ## In this article * [Description](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#description) * [Parameters](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#parameters) * [Return](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#return) * [More Information](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#more-information) * [Source](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#source) * [Hooks](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#hooks) * [Related](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#related) * [Changelog](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#changelog) [ Back to top](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#wp--skip-link--target) Sanitizes various option values based on the nature of the option. ## 󠀁[Description](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#description)󠁿 This is basically a switch statement which will pass $value through a number of functions depending on the $option. ## 󠀁[Parameters](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#parameters)󠁿 `$option`stringrequired The name of the option. `$value`mixedrequired The unsanitized value. ## 󠀁[Return](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#return)󠁿 mixed Sanitized value. ## 󠀁[More Information](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#more-information)󠁿 After the value has been handled by the functions in the switch statement, it will be passed through a [sanitize_option_$option](https://developer.wordpress.org/reference/hooks/sanitize_option_option/) filter. New options can be defined by adding an appropriate [sanitize_option_$option](https://developer.wordpress.org/reference/hooks/sanitize_option_option/) filter (e.g. ‘sanitize_option_avatar’ for a filter for an ‘avatar’ option) Existing options handled by [sanitize_option()](https://developer.wordpress.org/reference/functions/sanitize_option/): admin_email new_admin_email thumbnail_size_w thumbnail_size_h medium_size_w medium_size_h large_size_w large_size_h mailserver_port comment_max_links page_on_front page_for_posts rss_excerpt_length default_category default_email_category default_link_category close_comments_days_old comments_per_page thread_comments_depth users_can_register start_of_week posts_per_page posts_per_rss default_ping_status default_comment_status blogdescription blogname blog_charset blog_public date_format time_format mailserver_url mailserver_login mailserver_pass upload_path ping_sites gmt_offset siteurl home WPLANG illegal_names limited_email_domains banned_email_domains timezone_string permalink_structure category_base tag_base ## 󠀁[Source](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#source)󠁿 ```php function sanitize_option( $option, $value ) { global $wpdb; $original_value = $value; $error = null; switch ( $option ) { case 'admin_email': case 'new_admin_email': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { $value = sanitize_email( $value ); if ( ! is_email( $value ) ) { $error = __( 'The email address entered did not appear to be a valid email address. Please enter a valid email address.' ); } } break; case 'thumbnail_size_w': case 'thumbnail_size_h': case 'medium_size_w': case 'medium_size_h': case 'medium_large_size_w': case 'medium_large_size_h': case 'large_size_w': case 'large_size_h': case 'mailserver_port': case 'comment_max_links': case 'page_on_front': case 'page_for_posts': case 'rss_excerpt_length': case 'default_category': case 'default_email_category': case 'default_link_category': case 'close_comments_days_old': case 'comments_per_page': case 'thread_comments_depth': case 'users_can_register': case 'start_of_week': case 'site_icon': case 'fileupload_maxk': $value = absint( $value ); break; case 'posts_per_page': case 'posts_per_rss': $value = (int) $value; if ( empty( $value ) ) { $value = 1; } if ( $value < -1 ) { $value = abs( $value ); } break; case 'default_ping_status': case 'default_comment_status': // Options that if not there have 0 value but need to be something like "closed". if ( '0' === (string) $value || '' === $value ) { $value = 'closed'; } break; case 'blogdescription': case 'blogname': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( $value !== $original_value ) { $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', wp_encode_emoji( $original_value ) ); } if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { $value = esc_html( $value ); } break; case 'blog_charset': if ( is_string( $value ) ) { $value = preg_replace( '/[^a-zA-Z0-9_-]/', '', $value ); // Strips slashes. } else { $value = ''; } break; case 'blog_public': // This is the value if the settings checkbox is not checked on POST. Don't rely on this. if ( null === $value ) { $value = 1; } else { $value = (int) $value; } break; case 'date_format': case 'time_format': case 'mailserver_url': case 'mailserver_login': case 'mailserver_pass': case 'upload_path': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { $value = strip_tags( $value ); $value = wp_kses_data( $value ); } break; case 'ping_sites': $value = explode( "\n", $value ); $value = array_filter( array_map( 'trim', $value ) ); $value = array_filter( array_map( 'sanitize_url', $value ) ); $value = implode( "\n", $value ); break; case 'gmt_offset': if ( is_numeric( $value ) ) { $value = preg_replace( '/[^0-9:.-]/', '', $value ); // Strips slashes. } else { $value = ''; } break; case 'siteurl': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { $value = sanitize_url( $value ); } else { $error = __( 'The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.' ); } } break; case 'home': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { if ( preg_match( '#http(s?)://(.+)#i', $value ) ) { $value = sanitize_url( $value ); } else { $error = __( 'The Site address you entered did not appear to be a valid URL. Please enter a valid URL.' ); } } break; case 'WPLANG': $allowed = get_available_languages(); if ( ! is_multisite() && defined( 'WPLANG' ) && '' !== WPLANG && 'en_US' !== WPLANG ) { $allowed[] = WPLANG; } if ( ! in_array( $value, $allowed, true ) && ! empty( $value ) ) { $value = get_option( $option ); } break; case 'illegal_names': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { if ( ! is_array( $value ) ) { $value = explode( ' ', $value ); } $value = array_values( array_filter( array_map( 'trim', $value ) ) ); if ( ! $value ) { $value = ''; } } break; case 'limited_email_domains': case 'banned_email_domains': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { if ( ! is_array( $value ) ) { $value = explode( "\n", $value ); } $domains = array_values( array_filter( array_map( 'trim', $value ) ) ); $value = array(); foreach ( $domains as $domain ) { if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) ) { $value[] = $domain; } } if ( ! $value ) { $value = ''; } } break; case 'timezone_string': $allowed_zones = timezone_identifiers_list( DateTimeZone::ALL_WITH_BC ); if ( ! in_array( $value, $allowed_zones, true ) && ! empty( $value ) ) { $error = __( 'The timezone you have entered is not valid. Please select a valid timezone.' ); } break; case 'permalink_structure': case 'category_base': case 'tag_base': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { $value = sanitize_url( $value ); $value = str_replace( 'http://', '', $value ); } if ( 'permalink_structure' === $option && null === $error && '' !== $value && ! preg_match( '/%[^\/%]+%/', $value ) ) { $error = sprintf( /* translators: %s: Documentation URL. */ __( 'A structure tag is required when using custom permalinks. Learn more' ), __( 'https://wordpress.org/documentation/article/customize-permalinks/#choosing-your-permalink-structure' ) ); } break; case 'default_role': if ( ! get_role( $value ) && get_role( 'subscriber' ) ) { $value = 'subscriber'; } break; case 'moderation_keys': case 'disallowed_keys': $value = $wpdb->strip_invalid_text_for_column( $wpdb->options, 'option_value', $value ); if ( is_wp_error( $value ) ) { $error = $value->get_error_message(); } else { $value = explode( "\n", $value ); $value = array_filter( array_map( 'trim', $value ) ); $value = array_unique( $value ); $value = implode( "\n", $value ); } break; } if ( null !== $error ) { if ( '' === $error && is_wp_error( $value ) ) { /* translators: 1: Option name, 2: Error code. */ $error = sprintf( __( 'Could not sanitize the %1$s option. Error code: %2$s' ), $option, $value->get_error_code() ); } $value = get_option( $option ); if ( function_exists( 'add_settings_error' ) ) { add_settings_error( $option, "invalid_{$option}", $error ); } } /** * Filters an option value following sanitization. * * @since 2.3.0 * @since 4.3.0 Added the `$original_value` parameter. * * @param mixed $value The sanitized option value. * @param string $option The option name. * @param mixed $original_value The original value passed to the function. */ return apply_filters( "sanitize_option_{$option}", $value, $option, $original_value ); } ``` [View all references](https://developer.wordpress.org/reference/files/wp-includes/formatting.php/) [View on Trac](https://core.trac.wordpress.org/browser/tags/6.9.4/src/wp-includes/formatting.php#L4861) [View on GitHub](https://github.com/WordPress/wordpress-develop/blob/6.9.4/src/wp-includes/formatting.php#L4861-L5136) ## 󠀁[Hooks](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#hooks)󠁿 [apply_filters( “sanitize_option_{$option}”, mixed $value, string $option, mixed $original_value )](https://developer.wordpress.org/reference/hooks/sanitize_option_option/) Filters an option value following sanitization. ## 󠀁[Related](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#related)󠁿 | Uses | Description | | [wpdb::strip_invalid_text_for_column()](https://developer.wordpress.org/reference/classes/wpdb/strip_invalid_text_for_column/)`wp-includes/class-wpdb.php` | Strips any invalid characters from the string for a given table and column. | | [wp_encode_emoji()](https://developer.wordpress.org/reference/functions/wp_encode_emoji/)`wp-includes/formatting.php` | Converts emoji characters to their equivalent HTML entity. | | [add_settings_error()](https://developer.wordpress.org/reference/functions/add_settings_error/)`wp-admin/includes/template.php` | Registers a settings error to be displayed to the user. | | [get_role()](https://developer.wordpress.org/reference/functions/get_role/)`wp-includes/capabilities.php` | Retrieves role object. | | [get_available_languages()](https://developer.wordpress.org/reference/functions/get_available_languages/)`wp-includes/l10n.php` | Gets all available languages based on the presence of *.mo and *.l10n.php files in a given directory. | | [sanitize_email()](https://developer.wordpress.org/reference/functions/sanitize_email/)`wp-includes/formatting.php` | Strips out all characters that are not allowable in an email. | | [is_email()](https://developer.wordpress.org/reference/functions/is_email/)`wp-includes/formatting.php` | Verifies that an email is valid. | | [wp_kses_data()](https://developer.wordpress.org/reference/functions/wp_kses_data/)`wp-includes/kses.php` | Sanitize content with allowed HTML KSES rules. | | [__()](https://developer.wordpress.org/reference/functions/__/)`wp-includes/l10n.php` | Retrieves the translation of $text. | | [esc_html()](https://developer.wordpress.org/reference/functions/esc_html/)`wp-includes/formatting.php` | Escaping for HTML blocks. | | [sanitize_url()](https://developer.wordpress.org/reference/functions/sanitize_url/)`wp-includes/formatting.php` | Sanitizes a URL for database or redirect usage. | | [is_multisite()](https://developer.wordpress.org/reference/functions/is_multisite/)`wp-includes/load.php` | Determines whether Multisite is enabled. | | [absint()](https://developer.wordpress.org/reference/functions/absint/)`wp-includes/load.php` | Converts a value to non-negative integer. | | [apply_filters()](https://developer.wordpress.org/reference/functions/apply_filters/)`wp-includes/plugin.php` | Calls the callback functions that have been added to a filter hook. | | [get_option()](https://developer.wordpress.org/reference/functions/get_option/)`wp-includes/option.php` | Retrieves an option value based on an option name. | | [is_wp_error()](https://developer.wordpress.org/reference/functions/is_wp_error/)`wp-includes/load.php` | Checks whether the given variable is a WordPress Error. | [Show 11 more](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#) [Show less](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#) | Used by | Description | | [update_network_option()](https://developer.wordpress.org/reference/functions/update_network_option/)`wp-includes/option.php` | Updates the value of a network option that was already added. | | [add_network_option()](https://developer.wordpress.org/reference/functions/add_network_option/)`wp-includes/option.php` | Adds a new network option. | | [populate_options()](https://developer.wordpress.org/reference/functions/populate_options/)`wp-admin/includes/schema.php` | Create WordPress options and set the default values. | | [get_settings_errors()](https://developer.wordpress.org/reference/functions/get_settings_errors/)`wp-admin/includes/template.php` | Fetches settings errors registered by [add_settings_error()](https://developer.wordpress.org/reference/functions/add_settings_error/) . | | [wp_ajax_date_format()](https://developer.wordpress.org/reference/functions/wp_ajax_date_format/)`wp-admin/includes/ajax-actions.php` | Handles formatting a date via AJAX. | | [wp_ajax_time_format()](https://developer.wordpress.org/reference/functions/wp_ajax_time_format/)`wp-admin/includes/ajax-actions.php` | Handles formatting a time via AJAX. | | [update_option()](https://developer.wordpress.org/reference/functions/update_option/)`wp-includes/option.php` | Updates the value of an option that was already added. | | [add_option()](https://developer.wordpress.org/reference/functions/add_option/)`wp-includes/option.php` | Adds a new option. | [Show 3 more](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#) [Show less](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#) ## 󠀁[Changelog](https://developer.wordpress.org/reference/functions/sanitize_option/?output_format=md#changelog)󠁿 | Version | Description | | [2.0.5](https://developer.wordpress.org/reference/since/2.0.5/) | Introduced. | ## User Contributed Notes You must [log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Ffunctions%2Fsanitize_option%2F) before being able to contribute a note or feedback.