I submit search data to a custom page searchi.php
<?php
//
$search_variables = $_GET['s']. '+' .$_GET['cat'];
//This sends http post to url without curl
header("Status: 301 Moved Permanently");
header("Location:http://localhost/wordpress/?s=$search_variables");
exit;
?>
I know wp_query sanitizes variables for me, so I should not worry about it. But it is better to ask than be sorry, is there any way this would compromise security?
I noticed echoing variable $search_variables with <div></div> inserted through search form works, so should I do something about it?
No. WordPress sanitizes the search query.
To use the sanitized search query, use
the_search_query()to echo, orget_search_query()to return, the search query.Edit
Based on your edit:
$_GET['s']. Useget_search_query().$_GET['cat']. Useget_the_category().$_GETand$_POSTdata should be assumed to be inherently unsafe, and should be sanitized/validated accordingly.