It’s not the code in the form, but how you process the form’s data.
I put this in my main ‘include’ file; it sanitizes all input data. The key is to never trust the form data without verifying it is valid. This code helps in that.
// this sanitizes all gets/posts for security
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
The googles/bings/ducks have lots of resources on sanitizing data. But the above is a good start, IMHO.
Added
The code you have on the input form doesn’t protect anything. It’s not needed.
The protection that is needed is on the form processing side, whichever page that is. And the filter_input_array statements need to be on that form processing page.
The only possible thing that your code does is filter the variables you use in the ‘value’ element of the input tag. For example, if $name is the name that someone filled in, and the form didn’t process, or you have previously defined $name, then you code might protect those values.
But the real protection is in your code that you use to process the page. My filter_input_array statements will help with that, but you should further ensure that the variables are ‘safe’.
(BTW, this is not really a WordPress Development question. It might be better to research over on the Stack Overflow forum.)