In a perfect world, you don’t need sanitize your querys because the WordPress ORM avoids sql injections going to the database, but is extremely recommended to clean your input data, particularly if is input data provided by a visitor.
For example, you can use something like this:
$name = sanitize_text_field( $_POST['name'] );
// WP_Query arguments
$args = array (
'name' => $name,
);
// The Query
$query = new WP_Query( $args );
There are a lot of filter functions that can sanitize:
- sanitize_email()
- sanitize_file_name()
- sanitize_html_class()
- sanitize_key()
- sanitize_meta()
- sanitize_mime_type()
- sanitize_option()
- sanitize_sql_orderby()
- sanitize_text_field()
- sanitize_title()
- sanitize_title_for_query()
- sanitize_title_with_dashes()
- sanitize_user()
For more information read:
https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data