sanitize_text_field()
Sanitizes the passed string leaving clean text: without HTML tags, line breaks, etc.
This function is used to sanitize strings before saving it to the database (passed from the input field), sometimes when received data (strings) from the database.
This function does not protect against SQL injections! When saving to the database, the string will additionally need to be processed by one of the functions: esc_sql(), $wpdb->prepare.
What exactly the function does:
- Checks for invalid UTF-8 encoding.
- Converts single
<
character to HTML entities. - Strips all tags.
- Removes line breaks (\r\n), tabs (\t), and extra whitespace.
- Removes spaces at the beginning and end of the string - trim().
- Replaces multiple spaces to single.
- Strips octets:
%[a-f0-9]{2}
.
What is the difference between esc_html() and sanitize_text_field():
esc_html() — it only translates HTML characters and entities into visible text, so that the browser does not process the text as HTML, i.e. it saves all data and makes it readable.
sanitize_text_field() — removes all HTML characters, line breaks, tabs, and HTML entities. The function leaves blank text, i.e. the function does everything to ensure that the value of the input field is safe to save.
Use sanitize_textarea_field() when you want to clear a string but leave line breaks.
Hooks from the function
Return
String
. Sanitized string.
Usage
sanitize_text_field( $str );
- $str(string) (required)
- String to sanitize.
Examples
#1 Demonstration of the function:
sanitize_text_field( 'Check <em>how</em> the string is sanitized <br>. ' ); //> 'Check how the string is sanitized.' sanitize_text_field( 'Юникод симоволы 😃 🐻' ); // Юникод симоволы 😃 🐻 sanitize_text_field( '𝗦𝗣𝗜𝗞𝗘𝗦 𝗕𝗥𝗔𝗜𝗡𝗟𝗔𝗜𝗦𝗦' ); // 𝗦𝗣𝗜𝗞𝗘𝗦 𝗕𝗥𝗔𝗜𝗡𝗟𝗔𝗜𝗦𝗦 (unicode) sanitize_text_field( 'http://example.com/foo.php#bar' ); //> 'http://example.com/foo.php#bar' sanitize_text_field( 'foo <strong> bar' ); //> foo bar sanitize_text_field( 123 ); //> string(3) "123" sanitize_text_field( 'http://test.ru/%D0%BF%D1%80%D0%B8%D0%B2%D0%B5%D1%82/' ); //> http://test.ru// sanitize_text_field( '{ "Vlad Mir": "https://profiles.wordpress.org/sephp", "Kama": "https://wp-kama.com" }' ); //> { "Vlad Mir": "https://profiles.wordpress.org/sephp", "Kama": "https://wp-kama.com" }
#2 Using the function in input
This example shows how to use the function in the INPUT tag. Suppose we accept a $_POST request with a field value:
<input type="text" name="str" value="<?php echo esc_attr( sanitize_text_field( $_POST['str'] ) ) ?>" />
Notes
- See: sanitize_textarea_field()
- See: wp_check_invalid_utf8()
- See: wp_strip_all_tags()
Changelog
Since 2.9.0 | Introduced. |
sanitize_text_field() sanitize text field code WP 6.7.1
function sanitize_text_field( $str ) { $filtered = _sanitize_text_fields( $str, false ); /** * Filters a sanitized text field string. * * @since 2.9.0 * * @param string $filtered The sanitized string. * @param string $str The string prior to being sanitized. */ return apply_filters( 'sanitize_text_field', $filtered, $str ); }