You asked about SQL injection attacks. The protective steps you've described protects against those *only*.

If you then take what's in the database and send it out in HTML, then you're publishing someone else submission, and that's a whole different problem.