My question is simple, I have this session user:
$user = $_SESSION['user'];
and I want to do a select with it:
select * from online where user='$user' order by id desc LIMIT 1
Do I need to prepare a $_SESSION variable as I do with POST and GET? If I do not, is there a chance of SQL injection?
select * from online where user=? order by id desc LIMIT 1
1. Do I need to prepare a $_SESSION variable as I do with POST and GET?
Yes you do. It's as unsafe as a normal bald $_POST and $_GET.
2. If I do not, is there a chance of sql injection?
There is such a thing as Session hijacking which makes (almost) everything possible with sessions. You definitely need to look into that. As I said before a Session is as unsafe as a $_POST and $_GET. So yes you have a chance of SQL injection.