Tackling in reverse order just for the heck of it (and because I haven't had my coffee yet ):

The var_dump lines were mostly for your educational benefit - I wanted you to see what exactly was being returned so that you could figure out for yourself how to display things in the way that you wanted. Of course, I hadn't counted on there being an error in your .htaccess, so they turned into debugging output (and lead us to the root of the problem, i.e. that we weren't getting a $_GET['photo_id'] parameter).

You have to run your MySQL code before you have anything in $row['title'] to display. Just put that code up top and then you'll be able to insert the gallery title into your browser's title bar with no problems.

Notice in the SQL statement I added ((int)$_GET['photo_id']) - this is a basic method called type-casting that forces the value inserted into the string to be an integer. This effectively stops any/all forms of SQL injection since there is nothing that a 32-bit (or even 64- or 128-bit) integer can do to SQL. The absolute worst case is that a malformed request will result in no rows returned, which is not a Bad Thing.

The reason you had to select photo_id is because you were using $row['photo_id'] in your output; I would recommend instead not selecting photo_id in the query and instead using $_GET['photo_id'] in your output - this will be more efficient (albeit not noticeably so) but more importantly follows best practice guidelines.

I'd recommend a change to your .htaccess rule that will further protect your script: since your photo_id is always numeric (at least, I'm assuming - I just realized that you've never confirmed that and I've been assuming the whole time, so if I'm wrong ignore the rest of this paragraph), change your rule to be
RewriteRule ^/?bigimage/([0-9]+)$ bigimage.php?photo_id=$1 [L]
This will ensure that any request to /bigimage/whatever will give you a numeric photo_id. However, this does not lift the responsibility of validating your input (i.e. forcing $_GET['photo_id'] to be an integer before putting it into the SQL query), because someone who knows what's going on behind the scenes (like, say, anyone who reads this thread) can make a request directly to bigimage.php and bypass your rewrite rule altogether. Changing your rewrite rule is just one more layer to keep malformed data away from where it can do Bad Things, although in this case it's not going to add any extra security (yup, you guessed it, it's following best practice guidelines!).