Yes you do. With SQL injection you cannot really afford one slip up. You can also automatically html escape any output by utilising a template system such as Smarty.