diff --git a/demo/web/index.php b/demo/web/index.php
index 5fc97c33d..2b0489227 100644
--- a/demo/web/index.php
+++ b/demo/web/index.php
@@ -146,8 +146,10 @@
 		placeholder="empty"/>
 
 		<!-- hidden URI parameters -->
-		<input id="q" type="hidden" value="<?php if (isset($_GET['q'])) echo $_GET['q']; ?>"/>
-		<input id="p" type="hidden" value="<?php if (isset($_GET['p'])) echo $_GET['p']; ?>"/>
+		<input id="q" type="hidden" value=
+		"<?php if (isset($_GET['q']) && is_scalar($_GET['q'])) echo htmlentities($_GET['q'], ENT_QUOTES,'UTF-8'); ?>"/>
+		<input id="p" type="hidden" value=
+		"<?php if (isset($_GET['p']) && is_scalar($_GET['p'])) echo htmlentities($_GET['p'], ENT_QUOTES,'UTF-8'); ?>"/>
 
 		<p>WEB API (for developers):</p>
 		<p style="background-color: black; color: #bbb; padding: 3px 0 3px 6px; overflow-x: auto; white-space: nowrap;">
diff --git a/demo/web/search-relay.php b/demo/web/search-relay.php
index ab7c94206..b1345a2ac 100644
--- a/demo/web/search-relay.php
+++ b/demo/web/search-relay.php
@@ -74,7 +74,8 @@ function qry_explode($qry_str)
 $req_qry_str = '';
 $req_page = 1;
 
-if(!isset($_GET['q'])) { /* q for query string */
+/* q for query string */
+if(!isset($_GET['q']) || !is_scalar($_GET['q'])) {
 	http_response_code(400);
 	echo 'Dude, Bad GET Request!';
 	exit;
@@ -82,10 +83,10 @@ function qry_explode($qry_str)
 	$req_qry_str = $_GET['q'];
 }
 
-if(isset($_GET['p'])) /* p for page */
+/* p for page */
+if(isset($_GET['p']) && is_scalar($_GET['p']))
 	$req_page = intval($_GET['p']);
 
-
 /*
  * split and handle each query keyword
  */