Why ask when you already know the answer to that?
Of course you've heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I'd be picker than that but it's a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).