Direct user input comes from these sources:
$GET, $POST (that together form $REQUEST), $COOKIE and HTTP headers (that are assigned to various elements of $_SERVER array). Obviously you need to validate and sanititise everything that comes from here.
'SELECT somefields FROM sometable WHERE session_id = ' . $_SESSION['id']
then by manipulating cookie PHPSESSIONID one can do SQL injection.
So as IBazz already said - it is very good practice to validate and sanitise all session values as well.
Going even further - design your application so that each component trusts as little as necessary/possible to other components. For example - PHP script should assume that attacker can manipulate data in database directly and hence validate all data that it gets from DB (and all headers - e.g. referrer that come from web-server). DB has to assume that PHP will try to feed it malicious data and validate by means available to it. Even web-server should do some validation on input/output.