Yes. Always treat incoming data as if it were tainted. How rigorous you are is up to you, but check for required fields, then validate them (type, size etc) and finally escape before database entry.
http://www.projectkarma.co.uk
-- http://www.web-buddha.co.uk http://www.projectkarma.co.uk