Does $_SESSION['username'] need to be escaped before getting into an SQL query?

Question

I am wondering if anything from the $_SESSION array needs to be escaped before I use it in a SQL query.

Note that I don\'t use cookies in my application, since I\'ve hea

Answer 1

One golden rule is never trust user input furthermore unless the data has originated from you (i.e. your system) it should be considered 'user input', and this most certainly includes session data.

It terms of escaping session data for SQL, you can and should effectively clean the data for sql use, such as using mysql_real_escape_string() but depending on what data is contained within the session I would also validate the session against what you expect it should contain.

Not too sure on what you mean in regards to the cookie / session hijacking comment, I assume you mean you only use session's to store data? In a typical php installation sessions still use cookies purely as a pointer to the user's session.