$sanitizer

Provides methods for sanitizing and validating user input, preparing data for output, and more.

Sanitizer is useful for sanitizing input or any other kind of data that you need to match a particular type or format. The Sanitizer methods are accessed from the $sanitizer API variable and/or sanitizer() API variable/function. For example:

$cleanValue = $sanitizer->text($dirtyValue);

You can replace the text() call above with any other sanitizer method. Many sanitizer methods also accept additional arguments—see each individual method for details.

Sanitizer and input

Sanitizer methods are most commonly used with user input. As a result, the methods in this class are also accessible from the $input->get, $input->post and $input->cookie API variables, in the same manner that they are here. This is a useful shortcut for instances where you don’t need to provide additional arguments to the sanitizer method. Below are a few examples of this usage:

// get GET variable 'id' as integer
$id = $input->get->int('id');

// get POST variable 'name' as 1-line plain text
$name = $input->post->text('name');

// get POST variable 'comments' as multi-line plain text
$comments = $input->post->textarea('comments');

In ProcessWire 3.0.125 and newer you can also perform the same task as the above with one less -> level like the example below:

$comments = $input->post('comments','textarea');

This is more convenient in some IDEs because it’ll never be flagged as an unrecognized function call. Though outside of that it makes little difference how you call it, as they both do the same thing.

See the $input API variable for more details on how to call sanitizers directly from $input.

Adding your own sanitizers

You can easily add your own new sanitizers via ProcessWire hooks. Hooks are commonly added in a /site/ready.php file, or from a Module, though you may add them wherever you want. The following example adds a sanitizer method called zip() which enforces a 5 digit zip code:

$sanitizer->addHook('zip', function(HookEvent $event) {
  $sanitizer = $event->object;
  $value = $event->arguments(0); // get first argument given to method
  $value = $sanitizer->digits($value, 5); // allow only digits, max-length 5
  if(strlen($value) < 5) $value = ''; // if fewer than 5 digits, it is not a zip
  $event->return = $value;
});

// now you can use your zip sanitizer
$dirtyValue = 'Decatur GA 30030';
$cleanValue = $sanitizer->zip($dirtyValue);
echo $cleanValue; // outputs: 30030

Additional options 3.0.125 or newer)

In ProcessWire 3.0.125+ you can also combine sanitizer methods in a single call. These are defined by separating each sanitizer method with an understore. The example below runs the value through the text sanitizer and then through the entities sanitizer:

$cleanValue = $sanitizer->text_entities($dirtyValue);

If you append a number to any sanitizer call that returns a string, it is assumed to be maximum allowed length. For example, the following would sanitize the value to be text of no more than 20 characters:

$cleanValue = $sanitizer->text20($dirtyValue);

The above technique also works for any user-defined sanitizers you’ve added via hooks. We like this strategy for storage of sanitizer calls that are executed at some later point, like those you might store in a module config. It essentially enables you to define loose data types for sanitization. In addition, if there are other cases where you need multiple sanitizers to clean a particular value, this strategy can do it with a lot less code than you would with multiple sanitizer calls.

Most methods in the Sanitizer class focus on sanitization rather than validation, with a few exceptions. You can convert a sanitizer call to validation call by calling the validate() method with the name of the sanitizer and the value. A validation call simply implies that if the value is modified by sanitization then it is considered invalid and thus it’ll return a non-value rather than a sanitized value. See the Sanitizer::validate() and Sanitizer::valid() methods for usage details.

Click any linked item for full usage details and examples. Hookable methods are indicated with the icon. In addition to those shown below, the Sanitizer class also inherits all the methods and properties of: Wire.

Common

Name	Return	Summary
$sanitizer->htmlClass() $sanitizer->htmlClass(string $value) $sanitizer->htmlClass(string $value)	`string`	Sanitize string to ASCII-only HTML class attribute value
$sanitizer->htmlClasses() $sanitizer->htmlClasses($value) $sanitizer->htmlClasses($value, bool $getArray = false)	`string` `array`	Sanitize string to ASCII-only space-separated HTML class attribute values with no duplicates

Numbers

Name	Return	Summary
$sanitizer->bit() $sanitizer->bit($value) $sanitizer->bit($value)	`int`	Sanitize to a bit, returning only integer 0 or 1
$sanitizer->date() $sanitizer->date($value) $sanitizer->date($value, $format = null, array $options = [])	`string` `int` `null`	Sanitize a date or date/time string, making sure it is valid, and return it
$sanitizer->digits() $sanitizer->digits(string $value) $sanitizer->digits(string $value, int $maxLength = 1024)	`string`	Sanitize string to contain only ASCII digits (0-9)
$sanitizer->float() $sanitizer->float($value) $sanitizer->float($value, array $options = [])	`float` `string`	Sanitize to floating point value
$sanitizer->getNumberTools() $sanitizer->getNumberTools() $sanitizer->getNumberTools()	`WireNumberTools`	Get instance of WireNumberTools
$sanitizer->int() $sanitizer->int(mixed $value) $sanitizer->int(mixed $value, array $options = [])	`int`	Sanitized an integer (unsigned, unless you specify a negative minimum value)
$sanitizer->intArray() $sanitizer->intArray($value) $sanitizer->intArray($value, $options = [])	`array`	Sanitize array or CSV string to array of unsigned integers (or signed integers if specified $min is less than 0)
$sanitizer->intArrayVal() $sanitizer->intArrayVal($value) $sanitizer->intArrayVal($value, $options = [])	`array`	Sanitize array to be all unsigned integers with no conversions
$sanitizer->intSigned() $sanitizer->intSigned(mixed $value) $sanitizer->intSigned(mixed $value, array $options = [])	`int`	Sanitize to signed integer (negative or positive)
$sanitizer->intUnsigned() $sanitizer->intUnsigned(mixed $value) $sanitizer->intUnsigned(mixed $value, array $options = [])	`int`	Sanitize to unsigned (0 or positive) integer
$sanitizer->max() $sanitizer->max($value) $sanitizer->max($value, $max = 9223372036854775807)	`int` `float`	Sanitize to have a maximuim value
$sanitizer->min() $sanitizer->min($value) $sanitizer->min($value, $min = -9223372036854775808)	`int` `float`	Sanitize to have a minimum value
$sanitizer->range() $sanitizer->range($value) $sanitizer->range($value, $min = null, $max = null)	`int` `float`	Sanitize value to be within the given min and max range

Strings

Name	Return	Summary
$sanitizer->alpha() $sanitizer->alpha(string $value) $sanitizer->alpha(string $value, $beautify = false, int $maxLength = 1024)	`string`	Sanitize to ASCII alpha (a-z A-Z)
$sanitizer->alphanumeric() $sanitizer->alphanumeric(string $value) $sanitizer->alphanumeric(string $value, $beautify = false, int $maxLength = 1024)	`string`	Sanitize to ASCII alphanumeric (a-z A-Z 0-9)
$sanitizer->attrName() $sanitizer->attrName(string $value) $sanitizer->attrName(string $value, int $maxLength = 255)	`string`	Sanitize to an ASCII-only HTML attribute name
$sanitizer->camelCase() $sanitizer->camelCase(string $value) $sanitizer->camelCase(string $value, array $options = [])	`string`	Convert string to be all camelCase
$sanitizer->chars() $sanitizer->chars(string $value) $sanitizer->chars(string $value, $allow = '', string $replacement = '', bool $collapse = true, $mb = null)	`string`	Sanitize string value to have only the given characters
$sanitizer->date() $sanitizer->date($value) $sanitizer->date($value, $format = null, array $options = [])	`string` `int` `null`	Sanitize a date or date/time string, making sure it is valid, and return it
$sanitizer->digits() $sanitizer->digits(string $value) $sanitizer->digits(string $value, int $maxLength = 1024)	`string`	Sanitize string to contain only ASCII digits (0-9)
$sanitizer->email() $sanitizer->email(string $value) $sanitizer->email(string $value, array $options = [])	`string`	Sanitize and validate an email address
$sanitizer->emailHeader() $sanitizer->emailHeader(string $value) $sanitizer->emailHeader(string $value, bool $headerName = false)	`string`	Returns a value that may be used in an email header
$sanitizer->entities() $sanitizer->entities(string $str) $sanitizer->entities(string $str, $flags = 3, string $encoding = 'UTF-8', bool $doubleEncode = true)	`string`	Entity encode a string for output
$sanitizer->entities1() $sanitizer->entities1(string $str) $sanitizer->entities1(string $str, $flags = 3, string $encoding = 'UTF-8')	`string`	Entity encode a string and don’t double encode it if already encoded
$sanitizer->entitiesA() $sanitizer->entitiesA($value) $sanitizer->entitiesA($value, int $flags = 3, string $encoding = 'UTF-8', bool $doubleEncode = true)	`array` `string` `int` `float` `bool`	Entity encode with support for [A]rrays and other non-string values
$sanitizer->entitiesA1() $sanitizer->entitiesA1($value) $sanitizer->entitiesA1($value, int $flags = 3, string $encoding = 'UTF-8')	`array` `string` `int` `float` `bool`	Same as entitiesA() but does not double encode
$sanitizer->entitiesMarkdown() $sanitizer->entitiesMarkdown(string $str) $sanitizer->entitiesMarkdown(string $str, $options = [])	`string`	Entity encode while translating some markdown tags to HTML equivalents
$sanitizer->fieldName() $sanitizer->fieldName(string $value) $sanitizer->fieldName(string $value, $beautify = false, int $maxLength = 128)	`string`	Sanitize consistent with names used by ProcessWire fields and/or PHP variables
$sanitizer->fieldSubfield() $sanitizer->fieldSubfield(string $value) $sanitizer->fieldSubfield(string $value, int $limit = 1)	`string`	Sanitize as a field name but with optional subfield(s) like “field.subfield”
$sanitizer->filename() $sanitizer->filename(string $value) $sanitizer->filename(string $value, $beautify = false, int $maxLength = 128)	`string`	Name filter for ProcessWire filenames (basenames only, not paths)
$sanitizer->getTextTools() $sanitizer->getTextTools() $sanitizer->getTextTools()	`WireTextTools`	Get instance of WireTextTools
$sanitizer->httpUrl() $sanitizer->httpUrl(string $value) $sanitizer->httpUrl(string $value, array $options = [])	`string`	URL with http or https scheme required
$sanitizer->hyphenCase() $sanitizer->hyphenCase(string $value) $sanitizer->hyphenCase(string $value, array $options = [])	`string`	Convert string to be all hyphenated-lowercase (aka kabab-case, hyphen-case, dash-case, etc.)
$sanitizer->kebabCase() $sanitizer->kebabCase(string $value) $sanitizer->kebabCase(string $value, array $options = [])	`string`	Alias of hyphenCase()
$sanitizer->line() $sanitizer->line(string $value) $sanitizer->line(string $value, $maxLength = 0, array $options = [])	`string`	Sanitize any string of text to single line, no HTML, and no specific max-length (unless given)
$sanitizer->lines() $sanitizer->lines(string $value) $sanitizer->lines(string $value, $maxLength = 0, array $options = [])	`string`	Sanitize input string as multi-line text, no HTML tags, and no specific max length (unless given)
$sanitizer->markupToLine() $sanitizer->markupToLine(string $value) $sanitizer->markupToLine(string $value, array $options = [])	`string`	Convert a string containing markup or entities to be a single line of plain text
$sanitizer->markupToText() $sanitizer->markupToText(string $value) $sanitizer->markupToText(string $value, array $options = [])	`string`	Convert a string containing markup or entities to be plain text
$sanitizer->match() $sanitizer->match(string $value, string $regex) $sanitizer->match(string $value, string $regex)	`string`	Validate that given value matches regex pattern.
$sanitizer->maxBytes() $sanitizer->maxBytes(string $value) $sanitizer->maxBytes(string $value, int $maxBytes = 128)	`string`	Limit bytes used by given string to max specified
$sanitizer->maxLength() $sanitizer->maxLength($value) $sanitizer->maxLength($value, int $maxLength = 128, $maxBytes = null)	`array` `float` `int` `string`	Limit length of given value to that specified
$sanitizer->minLength() $sanitizer->minLength(string $value) $sanitizer->minLength(string $value, int $minLength = 1, string $padChar = '', bool $padLeft = false)	`string`	Validate or sanitize a string to have a minimum length
$sanitizer->name() $sanitizer->name(string $value) $sanitizer->name(string $value, $beautify = false, int $maxLength = 128, string $replacement = '_', array $options = [])	`string`	Sanitize in "name" format (ASCII alphanumeric letters/digits, hyphens, underscores, periods)
$sanitizer->names() $sanitizer->names($value) $sanitizer->names($value, string $delimeter = ' ', array $allowedExtras = [], string $replacementChar = '_', bool $beautify = false)	`string` `array`	Sanitize a string or array containing multiple names
$sanitizer->pageName() $sanitizer->pageName(string $value) $sanitizer->pageName(string $value, $beautify = false, $maxLength = 128, array $options = [])	`string`	Sanitize as a ProcessWire page name
$sanitizer->pageNameTranslate() $sanitizer->pageNameTranslate(string $value) $sanitizer->pageNameTranslate(string $value, int $maxLength = 128)	`string`	Name filter for ProcessWire Page names with transliteration
$sanitizer->pageNameUTF8() $sanitizer->pageNameUTF8(string $value) $sanitizer->pageNameUTF8(string $value, int $maxLength = 128)	`string`	Sanitize and allow for UTF-8 characters in page name
$sanitizer->pagePathName() $sanitizer->pagePathName(string $value) $sanitizer->pagePathName(string $value, $beautify = false, int $maxLength = 2048)	`string`	Sanitize a page path name
$sanitizer->pagePathNameUTF8() $sanitizer->pagePathNameUTF8(string $value) $sanitizer->pagePathNameUTF8(string $value)	`string`	Sanitize a UTF-8 page path name (does not perform ASCII/UTF8 conversions)
$sanitizer->pascalCase() $sanitizer->pascalCase(string $value) $sanitizer->pascalCase(string $value, array $options = [])	`string`	Convert string to PascalCase (like camelCase, but first letter always uppercase)
$sanitizer->path() $sanitizer->path(string $value) $sanitizer->path(string $value, $options = [])	`bool` `string`	Validate the given path, return path if valid, or false if not valid
$sanitizer->purify() $sanitizer->purify(string $str) $sanitizer->purify(string $str, array $options = [])	`string`	Purify HTML markup using HTML Purifier
$sanitizer->removeMB4() $sanitizer->removeMB4($value) $sanitizer->removeMB4($value, array $options = [])	`string` `array`	Removes 4-byte UTF-8 characters (like emoji) that produce error with with MySQL regular “UTF8” encoding
$sanitizer->removeNewlines() $sanitizer->removeNewlines(string $str) $sanitizer->removeNewlines(string $str, string $replacement = ' ')	`string`	Remove newlines from the given string and return it
$sanitizer->removeWhitespace() $sanitizer->removeWhitespace(string $str) $sanitizer->removeWhitespace(string $str, $options = [])	`string`	Remove or replace all whitespace from string
$sanitizer->selectorValue() $sanitizer->selectorValue($value) $sanitizer->selectorValue($value, $options = [])	`string` `int` `bool` `mixed`	Sanitizes a string value that needs to go in a ProcessWire selector
$sanitizer->selectorValueAdvanced() $sanitizer->selectorValueAdvanced($value) $sanitizer->selectorValueAdvanced($value, array $options = [])	`bool` `mixed` `string`	Sanitize selector value for advanced text search operator (#=)
$sanitizer->snakeCase() $sanitizer->snakeCase(string $value) $sanitizer->snakeCase(string $value, array $options = [])	`string`	Convert string to be all snake_case (lowercase and underscores)
$sanitizer->string() $sanitizer->string($value) $sanitizer->string($value, $sanitizer = null)	`string`	Sanitize value to string
$sanitizer->text() $sanitizer->text(string $value) $sanitizer->text(string $value, array $options = [])	`string`	Sanitize short string of text to single line without HTML
$sanitizer->textarea() $sanitizer->textarea(string $value) $sanitizer->textarea(string $value, array $options = [])	`string`	Sanitize input string as multi-line text without HTML tags
$sanitizer->textdomain() $sanitizer->textdomain(string $value) $sanitizer->textdomain(string $value)	`string`	Sanitize as language textdomain
$sanitizer->trim() $sanitizer->trim(string $str) $sanitizer->trim(string $str, $chars = '', string $method = 'trim')	`string`	Trim off all known UTF-8 whitespace types (or given chars) from beginning and ending of string
$sanitizer->trunc() $sanitizer->trunc(string $str) $sanitizer->trunc(string $str, $maxLength = 300, array $options = [])	`string`	Truncate string to given maximum length without breaking words and with no added visible extras
$sanitizer->truncate() $sanitizer->truncate(string $str) $sanitizer->truncate(string $str, $maxLength = 300, $options = [])	`string`	Truncate string to given maximum length without breaking words
$sanitizer->unentities() $sanitizer->unentities(string $str) $sanitizer->unentities(string $str, $flags = 3, string $encoding = 'UTF-8')	`string`	Remove entity encoded characters from a string.
$sanitizer->url() $sanitizer->url(string $value) $sanitizer->url(string $value, $options = [])	`string`	Sanitize and validate given URL or return blank if it can’t be made valid
$sanitizer->word() $sanitizer->word(string $value) $sanitizer->word(string $value, array $options = [])	`string`	Return first word in given string
$sanitizer->words() $sanitizer->words($value) $sanitizer->words($value, array $options = [])	`string`	Given string return a new string containing only words

Arrays

Name	Return	Summary
$sanitizer->array() $sanitizer->array($value) $sanitizer->array($value, $sanitizer = null, array $options = [])	`array`	Sanitize array or CSV string to array of values, optionally sanitized by given method
$sanitizer->arrayVal() $sanitizer->arrayVal(mixed $value) $sanitizer->arrayVal(mixed $value, $options = [])	`array`	Simply sanitize value to array with no conversions
$sanitizer->entitiesA() $sanitizer->entitiesA($value) $sanitizer->entitiesA($value, int $flags = 3, string $encoding = 'UTF-8', bool $doubleEncode = true)	`array` `string` `int` `float` `bool`	Entity encode with support for [A]rrays and other non-string values
$sanitizer->entitiesA1() $sanitizer->entitiesA1($value) $sanitizer->entitiesA1($value, int $flags = 3, string $encoding = 'UTF-8')	`array` `string` `int` `float` `bool`	Same as entitiesA() but does not double encode
$sanitizer->flatArray() $sanitizer->flatArray(array $value) $sanitizer->flatArray(array $value, array $options = [])	`array`	Given a potentially multi-dimensional array, return a flat 1-dimensional array
$sanitizer->intArray() $sanitizer->intArray($value) $sanitizer->intArray($value, $options = [])	`array`	Sanitize array or CSV string to array of unsigned integers (or signed integers if specified $min is less than 0)
$sanitizer->intArrayVal() $sanitizer->intArrayVal($value) $sanitizer->intArrayVal($value, $options = [])	`array`	Sanitize array to be all unsigned integers with no conversions
$sanitizer->minArray() $sanitizer->minArray(array $data) $sanitizer->minArray(array $data, $allowEmpty = false, bool $convert = false)	`array`	Minimize an array to remove empty values
$sanitizer->option() $sanitizer->option($value) $sanitizer->option($value, array $allowedValues = [])	`string` `int` `null`	Return $value if it exists in $allowedValues, or null if it doesn't
$sanitizer->options() $sanitizer->options(array $values) $sanitizer->options(array $values, array $allowedValues = [])	`array`	Return given values that that also exist in $allowedValues whitelist
$sanitizer->wordsArray() $sanitizer->wordsArray($value) $sanitizer->wordsArray($value, array $options = [])	`array`	Return array of all words in given value (excluding punctuation and other non-word characters)

Pages

Name	Return	Summary
$sanitizer->pageName() $sanitizer->pageName(string $value) $sanitizer->pageName(string $value, $beautify = false, $maxLength = 128, array $options = [])	`string`	Sanitize as a ProcessWire page name
$sanitizer->pageNameTranslate() $sanitizer->pageNameTranslate(string $value) $sanitizer->pageNameTranslate(string $value, int $maxLength = 128)	`string`	Name filter for ProcessWire Page names with transliteration
$sanitizer->pageNameUTF8() $sanitizer->pageNameUTF8(string $value) $sanitizer->pageNameUTF8(string $value, int $maxLength = 128)	`string`	Sanitize and allow for UTF-8 characters in page name
$sanitizer->pagePathName() $sanitizer->pagePathName(string $value) $sanitizer->pagePathName(string $value, $beautify = false, int $maxLength = 2048)	`string`	Sanitize a page path name
$sanitizer->pagePathNameUTF8() $sanitizer->pagePathNameUTF8(string $value) $sanitizer->pagePathNameUTF8(string $value)	`string`	Sanitize a UTF-8 page path name (does not perform ASCII/UTF8 conversions)
$sanitizer->path() $sanitizer->path(string $value) $sanitizer->path(string $value, $options = [])	`bool` `string`	Validate the given path, return path if valid, or false if not valid

Constants

Name	Return	Summary
Sanitizer::translate const	2	Constant used for the $beautify argument of name sanitizer methods to indicate transliteration may be used.

Files

Name	Return	Summary
$sanitizer->filename() $sanitizer->filename(string $value) $sanitizer->filename(string $value, $beautify = false, int $maxLength = 128)	`string`	Name filter for ProcessWire filenames (basenames only, not paths)
$sanitizer->validateFile() $sanitizer->validateFile(string $filename) $sanitizer->validateFile(string $filename, array $options = [])	`bool` `array` `null`	Validate and sanitize a file using FileValidator modules

Validate

Name	Return	Summary
$sanitizer->email() $sanitizer->email(string $value) $sanitizer->email(string $value, array $options = [])	`string`	Sanitize and validate an email address
$sanitizer->httpUrl() $sanitizer->httpUrl(string $value) $sanitizer->httpUrl(string $value, array $options = [])	`string`	URL with http or https scheme required
$sanitizer->url() $sanitizer->url(string $value) $sanitizer->url(string $value, $options = [])	`string`	Sanitize and validate given URL or return blank if it can’t be made valid
$sanitizer->valid() $sanitizer->valid($value) $sanitizer->valid($value, string $method = 'text', bool $strict = false)	`bool`	Is given value valid? (i.e. unchanged by given sanitizer method)
$sanitizer->validate() $sanitizer->validate($value) $sanitizer->validate($value, string $method = 'text', $fallback = null)	`null` `mixed`	Validate that value remains unchanged by given sanitizer method, or return null if not

Other

Name	Return	Summary
$sanitizer->bit() $sanitizer->bit($value) $sanitizer->bit($value)	`int`	Sanitize to a bit, returning only integer 0 or 1
$sanitizer->bool() $sanitizer->bool($value) $sanitizer->bool($value)	`bool`	Convert the given value to a boolean
$sanitizer->checkbox() $sanitizer->checkbox($value) $sanitizer->checkbox($value, $yes = true, $no = false)	`int` `bool` `string` `mixed` `null`	Sanitize checkbox value
$sanitizer->getAll() $sanitizer->getAll() $sanitizer->getAll(bool $getReturnTypes = false)	`array`	Get all sanitizer method names and optionally types they return
$sanitizer->getNumberTools() $sanitizer->getNumberTools() $sanitizer->getNumberTools()	`WireNumberTools`	Get instance of WireNumberTools
$sanitizer->getTextTools() $sanitizer->getTextTools() $sanitizer->getTextTools()	`WireTextTools`	Get instance of WireTextTools
$sanitizer->maxLength() $sanitizer->maxLength($value) $sanitizer->maxLength($value, int $maxLength = 128, $maxBytes = null)	`array` `float` `int` `string`	Limit length of given value to that specified
$sanitizer->purifier() $sanitizer->purifier() $sanitizer->purifier(array $options = [])	`MarkupHTMLPurifier`	Return a new HTML Purifier instance
$sanitizer->sanitize() $sanitizer->sanitize(mixed $value) $sanitizer->sanitize(mixed $value, string $method = 'text')	`string` `int` `array` `float` `null`	Call a sanitizer method indirectly where method name can contain combined/combo methods
$sanitizer->testAll() $sanitizer->testAll(mixed $value) $sanitizer->testAll(mixed $value)	`array`	Run value through all sanitizers, return array indexed by sanitizer name and resulting value

Additional methods and properties

In addition to the methods and properties above, Sanitizer also inherits the methods and properties of these classes:

Wire

API reference based on ProcessWire core version 3.0.252