No, don't do that.
Add
PHP Code:
if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']);
below
PHP Code:
$newname = $_POST["newname"];
Edit: Wait a minute, I just realized. Rusnak had the post data things before the connect to database script. That makes sense, hijackers can't input manipulative data if they don't have access to the database yet.