Injection or bad in anyway?

[sleeping]

I need to programmatically create a thread with some data in it and currently I achieve it in the following way:

            // Set up posthandler.
            require_once MYBB_ROOT."inc/datahandlers/post.php";
            $posthandler = new PostDataHandler("insert");
            $posthandler->action = "thread";

            $usename = $db->escape_string($product['name']);
            $safename = Slug($product['name']);
            $tmessage = htmlspecialchars_uni("[color=#ff9933][size=x-large]some text {$usename}![/size][/color]\n\nmore text\n\n[url={$mybb->settings['bburl']}/{$product['id']}-{$safename}/][color=lightyellow]more text![/color][/url]");

            if ($product['type'] == 'BETA')
            {
                $mybb->input['prefix'] = 13;
            }
            elseif($product['type'] == 'PAID')
            {
                $mybb->input['prefix'] = 11;
            }
            elseif($product['type'] == 'FREE')
            {
                $mybb->input['prefix'] = 10;
            }
            else
            {
                $mybb->input['prefix'] = 0;
            }

            // Set the thread data that came from the input to the $thread array.
            $new_thread = array(
                "fid" => $product['pid'],
                "subject" => $db->escape_string($product['name']."'s support!"),
                "prefix" => $mybb->input['prefix'],
                "icon" => 3,
                "uid" => $product['uid'],
                "username" => $db->escape_string($product['username']),
                "message" => $tmessage,
                "lastposter" => $db->escape_string($product['username']),
                "views" => 0,
                "replies" => 0,
                "visible" => 0,
                "notes" => ''
            );

            $new_thread['options'] = array(
                "signature" => 1,
                "subscriptionmethod" => 1,
                "disablesmilies" => 0
            );
            $posthandler->set_data($new_thread);
            $valid_thread = $posthandler->validate_thread();

            $post_errors = array();
            $errors = array();
            // Fetch friendly error messages if this is an invalid thread
            if(!$valid_thread)
            {
                $post_errors = $posthandler->get_friendly_errors();
                if(count($post_errors) > 0)
                {
                    $errors[] = inline_error($post_errors);
                }
            }

            if (empty($errors))
            {
                $thread_info = $posthandler->insert_thread();
                $tid = $thread_info['tid'];
            }

It does work, and I only have 1 concern, I am not using "escape_string" on the message field, the message field is mainly predefined by me with the exception of 2 entries the URL and the username.

I do use:

            $usename = $db->escape_string($product['name']);
            $safename = Slug($product['name']);

Just in case this is my Slug function:

function Slug($string)
{
    return strtolower(trim(preg_replace('~[^0-9a-z]+~i', '-', html_entity_decode(preg_replace('~&([a-z]{1,2})(?:acute|cedil|circ|grave|lig|orn|ring|slash|th|tilde|uml);~i', '$1', htmlentities($string, ENT_QUOTES, 'UTF-8')), ENT_QUOTES, 'UTF-8')), '-'));
}

To make both the username and product name safe and I was wondering if interpolating it inside my $tmessage could cause a security issue.

Thanks.