Is ‘sql injection’ already a part of that function or do I need to add my own code?
When inserting input to the database you should use prepare method of WPDB class which supports both a sprintf() – like and vsprintf() -like syntax. read more at the codex
Are there wordpress form input validation functions that I can use on my custom form?
Yes there are many and they are covered in Data Validation codex entry like toscho pointed out.