When to escape data: before or after session?

As far as sanitizing data from SQL Injection Attacks and the like, at what point do you sanitize the data?

Here are 2 scenarios, which do you go with?
Scenario numero uno (Sanitize from POST to SESSION):

$_SESSION['var'] = mysqli_real_escape_string($link, $_POST['var']);
//... the $_SESSION['var'] is carried through a few more pages then inserted into the database

Scenario numero deuce (Sanitize right before it’s put into DB):

$_SESSION['var'] = $_POST['var'];
//... the $_SESSION['var'] is carried through a few more pages then sanitized right before going into the database

I guess my question is, can a session variable be edited or changed from a third party?

I would use mysql_real_escape_string() just before the mysql_query() function when you build the query command.

I use PDO prepared queries, values are auto-sanitized when you send them with the ::execute method.

Though I’m trying to figure out why you’d want to copy them to $_SESSION in the first place.