Do I need to sanitize WordPress search query?

I submit search data to a custom page searchi.php

<?php
    //
    $search_variables = $_GET['s']. '+' .$_GET['cat'];

    //This sends http post to url without curl
    header("Status: 301 Moved Permanently");
    header("Location:http://localhost/wordpress/?s=$search_variables");
    exit;

?>

I know wp_query sanitizes variables for me, so I should not worry about it. But it is better to ask than be sorry, is there any way this would compromise security?

Read More

I noticed echoing variable $search_variables with <div></div> inserted through search form works, so should I do something about it?

Related posts

Leave a Reply

1 comment

  1. No. WordPress sanitizes the search query.

    To use the sanitized search query, use the_search_query() to echo, or get_search_query() to return, the search query.

    Edit

    Based on your edit:

    • Don’t use $_GET['s']. Use get_search_query().
    • Don’t use $_GET['cat']. Use get_the_category().
    • All $_GET and $_POST data should be assumed to be inherently unsafe, and should be sanitized/validated accordingly.