Quick question here.

@session_start();
$session = session_id();

Would I have to clean $session before inserting into DB? Is there any way someone can change there browsers session into harmful SQL injection code?

?phpsessionid=\' Or 1=1

In short, you should.

Every ounce of data that a user may imaginably be able to edit or construe somehow should be cleaned.

Session ID's cannot be changed, if one changes the session id php will behind the scenes generate a new ID and the old session would be lost unless the user changes back the ID before the session is killed.

__________________

And I think if you try to enter characters into a session ID that aren't valid, PHP will give you a blank session ID, or generate a new one. I just remember from a while ago that when I attempted to create my own session ID in my PHP script, I couldn't enter any values outside of the hexadecimal range because I hadn't change the session ID character type.

__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.