IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Do I need to sanitize WordPress search query?

    • IT Nursery
    • May 6, 2022
    • 0

    I submit search data to a custom page searchi.php

    <?php
    //
    $search_variables = $_GET['s']. '+' .$_GET['cat'];

    //This sends http post to url without curl
    header("Status: 301 Moved Permanently");
    header("Location:http://localhost/wordpress/?s=$search_variables");
    exit;

?>

    I know wp_query sanitizes variables for me, so I should not worry about it. But it is better to ask than be sorry, is there any way this would compromise security?

    I noticed echoing variable $search_variables with <div></div> inserted through search form works, so should I do something about it?

    1 Answer
    1

    No. WordPress sanitizes the search query.

    To use the sanitized search query, use the_search_query() to echo, or get_search_query() to return, the search query.

    Edit

    Based on your edit:

    • Don’t use $_GET['s']. Use get_search_query().
    • Don’t use $_GET['cat']. Use get_the_category().
    • All $_GET and $_POST data should be assumed to be inherently unsafe, and should be sanitized/validated accordingly.
    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *