Anything can be safe, but you need to take proper precautions in any case.

Escape everything you output (unless there is some really special unusual case where it doesn't need to be escaped). Generally speaking, any output of user-specified values without escaping will lead to XSS vulnerabilities, so you shouldn't allow it (except perhaps by the administrator, who you assume is trustworthy)

Escape everything you put into a database. Make sure all things which are supposed to be integers, really are (Weakly typed languages only of course, strongly typed languages will enforce this). Validate reasonable values. Check user input for correctness, even if normally the user has no control over it (hidden fields, drop-downs etc) - they could manipulate the client-side environment.

Ideally use a database abstraction layer which automatically handles string escaping, then you don't need to worry so much about it.

Slarty