People are far too lax with putting $_POST, $_GET, $_SESSION etc data directly into an SQL query.
Don't forget $_COOKIE. In fact, I personally would replace it with $_SESSION. Most of the time people know what data they are placing into $_SESSION so it shouldn't be a problem there.
I would also add to leave off the ending "?>".