incrediBILL - 9:40 pm on Nov 14, 2011 (gmt 0)

It should generally be the very last variable name to be processed so someone cannot insert one of your variables into their comment.

That's why I religiously process all user content through strip_tags() which cleans out any embedded HTML and PHP tags, plus some MySQL stripping as well.