P.P.S - been exploring the code of the default search function. found this:
$this->disableSecurityToken();

so i've implemented that into the code you gave earlier to give a cleaner way of getting around that security issue we were having!

public function ProductSearchForm() {
$f = new Form (
$this,
"ProductSearchForm",
new FieldSet(new TextField('s','','Search by title')),
new FieldSet(new FormAction('doProductSearch','Search'))
);
$f->setFormMethod('get');
$f->disableSecurityToken();
return $f;
}

not sure if we can take out: $f->setFormMethod('get'); now?
i tried that but then the second page of search results threw an error up, so ive left it in for now.

Why would you remove the security token? Is it causing problems? You definitely want the form method as "get", because it allows users to bookmark the search results or send someone a link. POST doesn't have that capability.