I have a comment form that consists of 2 fields (title and comment). Database contains 3 columns id, title and comment. Comment is displayed based on it's title
like domain.com/index.php?id=sometitle
The title field is properly secured for sql injection using mysql_real_escape_string, but comment field which is a textarea is left open without escaping. I can escape it, however i'm wondering what harm can it do to just leave it without using mysql_real_escape_string on that field knowing that title is already escaped and it's how the output is retrieved.