Default WordPress settings API data sanitization

WordPress will not do any data sanitization for you. It does do sanitization/validation of the default options.

You have to pass in the third argument of register_setting and either role your own validation callback or or use one of the builtins.

If your options is only going to contain a string, you could do something like this, for instance.

<?php
register_setting('your_group', 'your_setting', 'esc_attr');

You can trace how WP saves an option, if you look at the source for register_setting (in wp-admin/includes/plugin.php):

<?php
/**
 * Register a setting and its sanitization callback
 *
 * @since 2.7.0
 *
 * @param string $option_group A settings group name. Should correspond to a whitelisted option key name.
 *  Default whitelisted option key names include "general," "discussion," and "reading," among others.
 * @param string $option_name The name of an option to sanitize and save.
 * @param unknown_type $sanitize_callback A callback function that sanitizes the option's value.
 * @return unknown
 */
function register_setting( $option_group, $option_name, $sanitize_callback = '' ) {
    global $new_whitelist_options;

    if ( 'misc' == $option_group ) {
        _deprecated_argument( __FUNCTION__, '3.0', __( 'The miscellaneous options group has been removed. Use another settings group.' ) );
        $option_group = 'general';
    }

    $new_whitelist_options[ $option_group ][] = $option_name;
    if ( $sanitize_callback != '' )
        add_filter( "sanitize_option_{$option_name}", $sanitize_callback );
}

The key bit is the last few lines of the function. If there’s a sanitization callback, WP will add it to the filter sanitize_option_{$name}.

That filter gets applied in sanitize_option (in wp-includes/formatting.php):

<?php
/**
 * Sanitises various option values based on the nature of the option.
 *
 * This is basically a switch statement which will pass $value through a number
 * of functions depending on the $option.
 *
 * @since 2.0.5
 *
 * @param string $option The name of the option.
 * @param string $value The unsanitised value.
 * @return string Sanitized value.
 */
function sanitize_option($option, $value) {

    switch ( $option ) {
        case 'admin_email' :
        case 'new_admin_email' :
            $value = sanitize_email( $value );
            if ( ! is_email( $value ) ) {
                $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization
                if ( function_exists( 'add_settings_error' ) )
                    add_settings_error( $option, 'invalid_admin_email', __( 'The email address entered did not appear to be a valid email address. Please enter a valid email address.' ) );
            }
            break;

        case 'thumbnail_size_w':
        case 'thumbnail_size_h':
        case 'medium_size_w':
        case 'medium_size_h':
        case 'large_size_w':
        case 'large_size_h':
        case 'embed_size_h':
        case 'default_post_edit_rows':
        case 'mailserver_port':
        case 'comment_max_links':
        case 'page_on_front':
        case 'page_for_posts':
        case 'rss_excerpt_length':
        case 'default_category':
        case 'default_email_category':
        case 'default_link_category':
        case 'close_comments_days_old':
        case 'comments_per_page':
        case 'thread_comments_depth':
        case 'users_can_register':
        case 'start_of_week':
            $value = absint( $value );
            break;

        case 'embed_size_w':
            if ( '' !== $value )
                $value = absint( $value );
            break;

        case 'posts_per_page':
        case 'posts_per_rss':
            $value = (int) $value;
            if ( empty($value) )
                $value = 1;
            if ( $value < -1 )
                $value = abs($value);
            break;

        case 'default_ping_status':
        case 'default_comment_status':
            // Options that if not there have 0 value but need to be something like "closed"
            if ( $value == '0' || $value == '')
                $value="closed";
            break;

        case 'blogdescription':
        case 'blogname':
            $value = addslashes($value);
            $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
            $value = stripslashes($value);
            $value = esc_html( $value );
            break;

        case 'blog_charset':
            $value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
            break;

        case 'date_format':
        case 'time_format':
        case 'mailserver_url':
        case 'mailserver_login':
        case 'mailserver_pass':
        case 'ping_sites':
        case 'upload_path':
            $value = strip_tags($value);
            $value = addslashes($value);
            $value = wp_filter_kses($value); // calls stripslashes then addslashes
            $value = stripslashes($value);
            break;

        case 'gmt_offset':
            $value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
            break;

        case 'siteurl':
            if ( (bool)preg_match( '#http(s?)://(.+)#i', $value) ) {
                $value = esc_url_raw($value);
            } else {
                $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization
                if ( function_exists('add_settings_error') )
                    add_settings_error('siteurl', 'invalid_siteurl', __('The WordPress address you entered did not appear to be a valid URL. Please enter a valid URL.'));
            }
            break;

        case 'home':
            if ( (bool)preg_match( '#http(s?)://(.+)#i', $value) ) {
                $value = esc_url_raw($value);
            } else {
                $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization
                if ( function_exists('add_settings_error') )
                    add_settings_error('home', 'invalid_home', __('The Site address you entered did not appear to be a valid URL. Please enter a valid URL.'));
            }
            break;

        case 'WPLANG':
            $allowed = get_available_languages();
            if ( ! in_array( $value, $allowed ) && ! empty( $value ) )
                $value = get_option( $option );
            break;

        case 'timezone_string':
            $allowed_zones = timezone_identifiers_list();
            if ( ! in_array( $value, $allowed_zones ) && ! empty( $value ) ) {
                $value = get_option( $option ); // Resets option to stored value in the case of failed sanitization
                if ( function_exists('add_settings_error') )
                    add_settings_error('timezone_string', 'invalid_timezone_string', __('The timezone you have entered is not valid. Please select a valid timezone.') );
            }
            break;

        case 'permalink_structure':
        case 'category_base':
        case 'tag_base':
            $value = esc_url_raw( $value );
            $value = str_replace( 'http://', '', $value );
            break;
    }

    $value = apply_filters("sanitize_option_{$option}", $value, $option);

    return $value;
}

As you can see, there are a lot of cases there to handle all the built ins, but no default sanitization.

Sanitize option is called in update_option to clean/validate things before they go into the database.

<?php
/**
 * Update the value of an option that was already added.
 *
 * You do not need to serialize values. If the value needs to be serialized, then
 * it will be serialized before it is inserted into the database. Remember,
 * resources can not be serialized or added as an option.
 *
 * If the option does not exist, then the option will be added with the option
 * value, but you will not be able to set whether it is autoloaded. If you want
 * to set whether an option is autoloaded, then you need to use the add_option().
 *
 * @since 1.0.0
 * @package WordPress
 * @subpackage Option
 *
 * @uses apply_filters() Calls 'pre_update_option_$option' hook to allow overwriting the
 *  option value to be stored.
 * @uses do_action() Calls 'update_option' hook before updating the option.
 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success.
 *
 * @param string $option Option name. Expected to not be SQL-escaped.
 * @param mixed $newvalue Option value. Expected to not be SQL-escaped.
 * @return bool False if value was not updated and true if value was updated.
 */
function update_option( $option, $newvalue ) {
    global $wpdb;

    $option = trim($option);
    if ( empty($option) )
        return false;

    wp_protect_special_option( $option );

    if ( is_object($newvalue) )
        $newvalue = clone $newvalue;

    $newvalue = sanitize_option( $option, $newvalue );
    $oldvalue = get_option( $option );
    $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue );

    // If the new and old values are the same, no need to update.
    if ( $newvalue === $oldvalue )
        return false;

    if ( false === $oldvalue )
        return add_option( $option, $newvalue );

    $notoptions = wp_cache_get( 'notoptions', 'options' );
    if ( is_array( $notoptions ) && isset( $notoptions[$option] ) ) {
        unset( $notoptions[$option] );
        wp_cache_set( 'notoptions', $notoptions, 'options' );
    }

    $_newvalue = $newvalue;
    $newvalue = maybe_serialize( $newvalue );

    do_action( 'update_option', $option, $oldvalue, $_newvalue );
    if ( ! defined( 'WP_INSTALLING' ) ) {
        $alloptions = wp_load_alloptions();
        if ( isset( $alloptions[$option] ) ) {
            $alloptions[$option] = $_newvalue;
            wp_cache_set( 'alloptions', $alloptions, 'options' );
        } else {
            wp_cache_set( $option, $_newvalue, 'options' );
        }
    }

    $result = $wpdb->update( $wpdb->options, array( 'option_value' => $newvalue ), array( 'option_name' => $option ) );

    if ( $result ) {
        do_action( "update_option_{$option}", $oldvalue, $_newvalue );
        do_action( 'updated_option', $option, $oldvalue, $_newvalue );
        return true;
    }
    return false;
}

That’s kind of long winded. Just wanted to show the process by which you could go through and figure out this sort of thing.

Edit

It should be noted that arrays of options will be serialized (via maybe_serialize).

Related Posts:

  1. Is sanitize_text_field() is enough to save to DB?
  2. How to display data from custom table in wordpress database?
  3. How does WordPress store data?
  4. Who is responsible for data sanitization in WordPress development?
  5. What is the proper way to validate and sanitize JSON response from REST API?
  6. data (html) migration to posts
  7. What’s the proper way to sanitize checkbox value sent to the database
  8. Safely store code(html/js..) into database
  9. How to add checkbox with multiple values in table?
  10. Whats the best practise on how to store json data from a custom settings page?
  11. WordPress Settings API Overrides My Previous Value
  12. Where is the HTML-handler part in the wpdb class?
  13. Checking if Database Table exists
  14. Staging sites, how do you manage synchronising updates in the DB?
  15. How to get the post publish date outside the loop?
  16. How To Export/Import WordPress (MySQL) Database Properly Via Command-Line?
  17. Using transients in conjunction with memcached
  18. How to define composite keys with dbDelta()
  19. Has parent field in the table wp_term_taxonomy has term_id or term_taxonomy_id
  20. Forcing nickname as display_name in custom edit profile template
  21. Syncing local content with development / staging sites
  22. Export WP database for import using WP-CLI on Vagrant Box
  23. Corrupt WordPress Database
  24. Have multiple local wordpress installs share a wp-content folder and database
  25. Faulty restore of the database, encoding issue
  26. Updating all rows of table with $wpdb
  27. What actions affect files, DB, or both?
  28. Cannot unserialize WordPress serialized values in `wp_options` table?
  29. Is $wpdb->prepare escaping to much? How to use it properly?
  30. How to log database changes during an upgrade?
  31. Using same database for main and subdomain
  32. What is stored in the webserver? (Separated Database)
  33. Remove database entries where post_date > expiration date
  34. Installation with sql server express edition
  35. Emojis getting converted to “?”
  36. Building a Scalable Resiliant WP Setup
  37. Single database for multiple instances
  38. Get all tags not just first 10 with wp api 2.0
  39. Should non-WordPress data get its own DB?
  40. Search and replace special characters (å,ä,ö) for image attachments only in database
  41. Accidentally deleted active_plugins portion of the wp_options DB table
  42. Automate dir and DB stack creation with WP-CLI
  43. delete post meta from db, even if does not exist?
  44. In what part of the WordPress core does the users table and usermeta table get joined?
  45. WordPress Settings API – Sanitize Integer
  46. WordPress and MySQL: how to transfer Meta_key and Meta_Value from one post_id to another
  47. Output custom content not from the posts table?
  48. Reducing Database Query Time
  49. How can I get my wordpress password from an SQL file?
  50. Create table from array with prepare
  51. Migrate database between 2 different wordpress version
  52. Is there an atomic way to update_option in WordPress (to ensure data integrity)?
  53. Form that sends data to an admin panel and can export it
  54. All text disappeared (seems to be a database problem) [closed]
  55. Convert user passwords to MD5?
  56. is wordpress stores Role Id in WP database?
  57. Why do database examples sometimes finish with an add_option call?
  58. How to backup my site and restore my wordpress site
  59. How and where is wordpress adding mySQL content to database?
  60. restore a db after bad backup
  61. How get Data form wordpress database as array not stdclass?
  62. cannot connect database
  63. How to delete a particular row in a database table
  64. Brandoo WordPress Unable to Update to WordPress 4.2.2
  65. Connecting to wordpress database in my application [closed]
  66. How to use checked() function with multiple check box group? How to properly sanitize that checkbox group?
  67. change the year on all of my custom post types?
  68. How do I have a user upload a blog post and then retrieve that to display in a card on the site?
  69. Delete user with only subscriber role
  70. WordPress keeps redirecting to localhost
  71. get value from ‘terms’ table
  72. custom tables in wordpress Database? (can i just create them with sql?)
  73. How to rename custom table name programatically in wordpress?
  74. Displaying requested data from a the database in wordpress
  75. Accidently changed the GUID
  76. pre_get_posts causings DB error when using ( ‘posts_per_page’, -1)?
  77. generate PDF from member information
  78. How to save Checkbox-Options in Plugin Options Page
  79. Is it safe to add INDEX to a column in WordPress database?
  80. Help posting values to DB on submit using $wpdb->query
  81. Restore Old Database Over Newer WP & Plugin Files
  82. wpdb query to insert images in to post/page gallery
  83. Creating a database in my plugin not working
  84. How to create index (sql) to a meta_key?
  85. Not sure what to do next to optimize
  86. Database structure for thousands of posts
  87. get_user_meta and umeta_id
  88. $wpdb not working
  89. Accessing content from third party as native posts in WordPress
  90. Extracted CSV as Array for Custom Query Loop
  91. One WP Database outside localhost and two connections
  92. Send data to database after redirect (and popping out of iframe)
  93. Fetch data from another site, but the same database
  94. Simple email input store in database
  95. Every time I update or install a plugin I get “Error Establishing a Database Connection in WordPress”
  96. Settings api sanatize callback not being triggered
  97. $wpdb->insert not working for last select option
  98. How to create a table [closed]
  99. Upload wordpress from localhost to 000webhost
  100. wp_usermeta key problem

Leave a Comment