In what scenarios should session data be escaped in PHP to prevent SQL injection vulnerabilities?

Session data should be escaped in PHP when it is being used in SQL queries to prevent SQL injection vulnerabilities. This is important because session data can be manipulated by users, and if not properly escaped, it can be used to inject malicious SQL code into queries. To prevent this, session data should always be properly escaped using functions like mysqli_real_escape_string() before being used in SQL queries.

// Escaping session data before using it in SQL query
$escaped_data = mysqli_real_escape_string($connection, $_SESSION['user_input']);

// Using the escaped data in a SQL query
$query = "SELECT * FROM users WHERE username = '$escaped_data'";
$result = mysqli_query($connection, $query);