Skip to content


Sanitize the database by removing or obfuscating user data.

Commandfiles may add custom operations by implementing:

  • @hook on-event sql-sanitize-confirms. Display summary to user before confirmation.
  • @hook post-command sql-sanitize. Run queries or call APIs to perform sanitizing

Several working commandfiles may be found at


  • drush sql:sanitize --sanitize-password=no. Sanitize database without modifying any passwords.
  • drush sql:sanitize --allowlist-fields=field_biography,field_phone_number. Sanitizes database but exempts two user fields from modification.


  • --whitelist-fields[=WHITELIST-FIELDS]. Deprecated. Use allowlist-fields instead.
  • --allowlist-fields[=ALLOWLIST-FIELDS]. A comma delimited list of fields exempt from sanitization.
  • --sanitize-email[=SANITIZE-EMAIL]. The pattern for test email addresses in the sanitization operation, or no to keep email addresses unchanged. May contain replacement patterns %uid, %mail or %name. [default: user+%uid@localhost.localdomain]
  • --sanitize-password[=SANITIZE-PASSWORD]. By default, passwords are randomized. Specify no to disable that. Specify any other value to set all passwords to that value.



  • sqlsan
  • sql-sanitize


  • An argument or option with square brackets is optional.
  • Any default value is listed at end of arg/option description.
  • An ellipsis indicates that an argument accepts multiple values separated by a space.