Do I need to escape/filter data that is coming from the database? Even if said data has already been “escaped” once (at the point in time where it was inserted into the database).

For example, say I allow users to submit blog posts via a form that has a title input and a textarea input.

A malicious user submits the blog post

title: Attackposttitle');DROP TABLE posts;--

textarea: Hahaha nuked ur site noobzors!

Now as this is being inserted into my database, I am going to escape it with mysql_real_escape_string, but once it is in the database I will later reference this data in my php blog application with something like this:

sql="SELECT posttitle FROM posts WHERE id=50";
$posttitlearray = mysql_fetch_array(mysql_query($sql));

This is where my concern is, what if I, for example, run the following query to get the post content:

sql="SELECT postcontent FROM posts WHERE posttitle=$posttitlearray[posttitle]";

In theory am I not sql injecting myself? IE, am I not effectively running the query:

sql="SELECT postcontent FROM posts WHERE posttitle=Attackposttitle');DROP TABLE posts;--";

Or does the “Attackposttitle’);DROP TABLE posts;–” data continue to be escaped once it is in the database?

Do I need to continually escape it like so:

sql="SELECT postcontent FROM posts WHERE posttitle=msql_real_escape_string($posttitlearray[posttitle])";

Or is the data safe once it has been escaped initially upon first being inserted into the database?

Thanks Stack!