If not, how do I clean the incoming variables?
In most cases you don’t, get_posts
calls WP_Query
internally, and WP_Query
performs some sanitization, namely via wpdb->prepare
.
However, for what you’re trying to do, this is the wrong approach. Just use a standard search.php
template with a standard post loop, and use input
fields that have the same names as the parameters for WP_Query
. WP will automatically filter as a result of them being added to the URL. There is no need for a custom page template with a custom query and custom URL parameters. It’s just unnecessary complexity, and double the database queries ( don’t forget the broken pagination, dealing with 404’s, etc )