WordPress it’s cleaning a custom query_var to avoid sql injections?

I am using get_query_var function to get a custom query_var. This query_var will be used later in to query arguments to retrieve posts with:

$the_query = new WP_Query( $args );

My question is, is it safe if I use get_query_var such as is provided or do I need clean this variable to avoid sql injections?

I’ve read this post, but it is not entirely clear and also it is old.

In a perfect world, you don’t need sanitize your querys because the WordPress ORM avoids sql injections going to the database, but is extremely recommended to clean your input data, particularly if is input data provided by a visitor.

For example, you can use something like this:

$name = sanitize_text_field( $_POST['name'] );
// WP_Query arguments
$args = array (
    'name' => $name,
);

// The Query
$query = new WP_Query( $args );

There are a lot of filter functions that can sanitize:

• sanitize_email()
• sanitize_file_name()
• sanitize_html_class()
• sanitize_key()
• sanitize_meta()
• sanitize_mime_type()
• sanitize_option()
• sanitize_sql_orderby()
• sanitize_text_field()
• sanitize_title()
• sanitize_title_for_query()
• sanitize_title_with_dashes()
• sanitize_user()

For more information read:

https://codex.wordpress.org/Validating_Sanitizing_and_Escaping_User_Data