I submit search data to a custom page searchi.php
<?php
//
$search_variables = $_GET['s']. '+' .$_GET['cat'];
//This sends http post to url without curl
header("Status: 301 Moved Permanently");
header("Location:http://localhost/wordpress/?s=$search_variables");
exit;
?>
I know wp_query
sanitizes variables for me, so I should not worry about it. But it is better to ask than be sorry, is there any way this would compromise security?
I noticed echoing variable $search_variables
with <div></div>
inserted through search form works, so should I do something about it?
No. WordPress sanitizes the search query.
To use the sanitized search query, use
the_search_query()
to echo, orget_search_query()
to return, the search query.Edit
Based on your edit:
$_GET['s']
. Useget_search_query()
.$_GET['cat']
. Useget_the_category()
.$_GET
and$_POST
data should be assumed to be inherently unsafe, and should be sanitized/validated accordingly.