There are many ways (for the user) to change the submitted data, so - yes you need to use it for radio button.

For example you can change a radio button into an input type text and easily modify the value.

ALL fields that are sent from a form to a server should be checked for valid inputs. All fields can be manipulated in such a way to do sql or other injection.

Well, you should do that to all strings that you pass to mysql, not necessarily network input ;-)

Yes you need it. Users can change form inputs as they prefer. Firebug does miracles.

Stop!

You seem to be confusing escaping with data validation and data sanitization.

You need to validate any data that comes in. Yes, this means making sure that radio buttons contain legal values.

You need to sanitize any data that comes in. Should that text field contain HTML? No? strip_tags. Should that field be a number? Cast it as an integer.

You need to escape any data that you place in the database. If you're still using the prehistoric "mysql" extension, this means using mysql_real_escape_string on everything as you build your query -- not before.

You need to escape any data you echo to the user. htmlspecialchars is your friend.

I've previously explained this in more detail, though this is not a duplicate question.

Yes. Actually, you should also be checking the value of radio buttons/lists to make sure that the value is a valid one. See in_array(). Here's an example (isset check omitted for clarity):

$validValues = array('gold', 'silver', 'bronze');

$value = $_POST['value'];

if (in_array($value, $validValues)) {
    // request is valid
} else {
    // request is invalid
}

The only time you shouldn't use mysql_real_escape_string(), and that's on values that you expect to be integers. But you must handle them carefully. Read this article:

http://www.webappsec.org/projects/articles/091007.shtml

That article covers situations in which you wouldn't expect SQL injection, including how to handle integers.