sanitize_user_field() WordPress Function

The sanitize_user_field() function is used to sanitize a user field. This function is used to clean up data before it is stored in the database. This function can be used to sanitize any user field, including the user_nicename, user_email, and display_name fields.

sanitize_user_field( string $field, mixed $value, int $user_id, string $context ) #

Sanitizes user field based on context.

Contents

Description

Possible context values are: ‘raw’, ‘edit’, ‘db’, ‘display’, ‘attribute’ and ‘js’. The ‘display’ context is used by default. ‘attribute’ and ‘js’ contexts are treated like ‘display’ when calling filters.

Top ↑

Parameters

$field

(string)(Required)The user Object field name.

$value

(mixed)(Required)The user Object value.

$user_id

(int)(Required)User ID.

$context

(string)(Required)How to sanitize user fields. Looks for 'raw', 'edit', 'db', 'display', 'attribute' and 'js'.

Top ↑

Return

(mixed) Sanitized value.

Top ↑

Source

File: wp-includes/user.php

function sanitize_user_field( $field, $value, $user_id, $context ) {
	$int_fields = array( 'ID' );
	if ( in_array( $field, $int_fields, true ) ) {
		$value = (int) $value;
	}

	if ( 'raw' === $context ) {
		return $value;
	}

	if ( ! is_string( $value ) && ! is_numeric( $value ) ) {
		return $value;
	}

	$prefixed = false !== strpos( $field, 'user_' );

	if ( 'edit' === $context ) {
		if ( $prefixed ) {

			/** This filter is documented in wp-includes/post.php */
			$value = apply_filters( "edit_{$field}", $value, $user_id );
		} else {

			/**
			 * Filters a user field value in the 'edit' context.
			 *
			 * The dynamic portion of the hook name, `$field`, refers to the prefixed user
			 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc.
			 *
			 * @since 2.9.0
			 *
			 * @param mixed $value   Value of the prefixed user field.
			 * @param int   $user_id User ID.
			 */
			$value = apply_filters( "edit_user_{$field}", $value, $user_id );
		}

		if ( 'description' === $field ) {
			$value = esc_html( $value ); // textarea_escaped?
		} else {
			$value = esc_attr( $value );
		}
	} elseif ( 'db' === $context ) {
		if ( $prefixed ) {
			/** This filter is documented in wp-includes/post.php */
			$value = apply_filters( "pre_{$field}", $value );
		} else {

			/**
			 * Filters the value of a user field in the 'db' context.
			 *
			 * The dynamic portion of the hook name, `$field`, refers to the prefixed user
			 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc.
			 *
			 * @since 2.9.0
			 *
			 * @param mixed $value Value of the prefixed user field.
			 */
			$value = apply_filters( "pre_user_{$field}", $value );
		}
	} else {
		// Use display filters by default.
		if ( $prefixed ) {

			/** This filter is documented in wp-includes/post.php */
			$value = apply_filters( "{$field}", $value, $user_id, $context );
		} else {

			/**
			 * Filters the value of a user field in a standard context.
			 *
			 * The dynamic portion of the hook name, `$field`, refers to the prefixed user
			 * field being filtered, such as 'user_login', 'user_email', 'first_name', etc.
			 *
			 * @since 2.9.0
			 *
			 * @param mixed  $value   The user object value to sanitize.
			 * @param int    $user_id User ID.
			 * @param string $context The context to filter within.
			 */
			$value = apply_filters( "user_{$field}", $value, $user_id, $context );
		}
	}

	if ( 'user_url' === $field ) {
		$value = esc_url( $value );
	}

	if ( 'attribute' === $context ) {
		$value = esc_attr( $value );
	} elseif ( 'js' === $context ) {
		$value = esc_js( $value );
	}

	// Restore the type for integer fields after esc_attr().
	if ( in_array( $field, $int_fields, true ) ) {
		$value = (int) $value;
	}

	return $value;
}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/formatting.php:esc_html()

Escaping for HTML blocks.

wp-includes/formatting.php:esc_attr()

Escaping for HTML attributes.

wp-includes/formatting.php:esc_url()

Checks and cleans a URL.

wp-includes/formatting.php:esc_js()

Escapes single quotes, ", , &, and fixes line endings.

wp-includes/plugin.php:apply_filters()

Calls the callback functions that have been added to a filter hook.

wp-includes/user.php:user_{$field}

Filters the value of a user field in a standard context.

wp-includes/user.php:edit_user_{$field}

Filters a user field value in the ‘edit’ context.

wp-includes/user.php:pre_user_{$field}

Filters the value of a user field in the ‘db’ context.

wp-includes/post.php:edit_{$field}

Filters the value of a specific post field to edit.

wp-includes/post.php:pre_{$field}

Filters the value of a specific post field before saving.

wp-includes/post.php:{$field}

Filters the value of a specific post field for display.

Show 6 more usesHide more uses

Top ↑

Changelog

Changelog
VersionDescription
2.3.0Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.

Show More
Show More