Occasionally I’ve received requests to share out a database table or provide a full extract of a Drupal website to a 3rd party for some reason. In these circumstances it’s a best-practice to sanitize or scrub out sensitive information within your Drupal website.
Luckily, Drush comes to the rescue! Allow me to introduce you to the Drush command: sql-sanitize or its alias sqlsan.
$ drush help sqlsan Run sanitization operations on the current database. Options: --db-url=<mysql://root:firstname.lastname@example.org/db A Drupal 6 style database URL. Only required for initial install - not re-install. > --sanitize-email The pattern for test email addresses in the sanitization operation, or "no" to keep email addresses unchanged. May contain replacement patterns %uid, %mail or %name. Default is "user+%uid@localhost". --sanitize-password The password to assign to all accounts in the sanitization operation, or "no" to keep passwords unchanged. Default is "password". Aliases: sqlsan
From a Drupal website you can stomp out actual user passwords by supplying the option –sanitize-password. Similarly, you may stomp out emails with –sanitize-email.
A recommended best-practice when sanitizing a database is to use an email option such as: –sanitize-email=”email@example.com”
This way if you move this sanitized Drupal website to a new location or development server the emails are not to a domain that could accidentally be sent email by a server process; because @example.com is simply fake.
Lastly, what if there is other custom data in your database you want to sanitize. Simply implement hook_drush_sql_sync_sanitize() and clean whatever sensitive data you don’t want to share with others. Be sure to reference sql_drush_sql_sync_sanitize() when writing your own hook’ed data to clean.