The add_option() function has a comment in source that says that values are expected to not be SQL-escaped. add_option() makes a call to sanitize_option(), so it appears there is no need to escape.
But if you look at sanitize_option() source, it only sanitizes the default options. Custom options pass through unaltered! There is one default url type option which is passed through esc_url_raw(), so I think you should do the same, or similar, to your URLs.
thanks…when I look at the, say, update_options source, it looks like they also send it through sanitize options….so you think if don’t esc_url_raw my urls they won’t be escaped in the update_options routine…thus causing the memory problem?
I don’t know if this is the cause of your user’s memory leak. All I know is sanitize_option() only sanitizes default options. It does nothing to custom options. And that the one default option that is an url gets passed through esc_url_raw().
I’m almost sure your url option value is not escaped by update_option(). You could verify for yourself by finding your option in the postmeta table using phpMYAdmin.