Protecting php/mysql - what im doing

Im investigating what methods exist to compromisse php/mysql made websites, and this is what im doing until now

1) using htmlentities (avoid XSS attacks)
2) magic_quotes_gpc is on (avoid sql injections)

also for user authetication im using

$user = $_POST["user"];
$pass = sha1($_POST["pass"]);

$query = "SELECT * from users WHERE username='" . $user . "' AND password = '" . $pass . "'";

$result = mysql_query($query);

$row = mysql_fetch_object($result);
if ($row) {
session_start();
$_SESSION["access"] = "granted";
$_SESSION["id"] = $row->id;
header('Location: welcome.php');
}
else { header('Location: login.html'); }

the verification is then done in each page with

session_start();

header("Cache-control: private");
if ($_SESSION["access"] == "granted") {
echo "welcome registered user";
}
else
header('Location: login.html' );


so, is 1) and 2) enough to foil attacks? im i missing something here? i heard that even with magic_quotes_gpc on its still possible to do sql injection, however i couldnt find anything on google.

Second question, (maybe a stupid one, i just want to be sure), are $_SESSION variables server side, that is, its not possible for a user to alter the value of this variable?

 

$query = "SELECT * from users WHERE username='" . $user . "' AND password = '" . $pass . "'";

Code (markup):

try

$query = "SELECT * from users WHERE username='" . mysql_real_escape_string($user) . "' AND password = '" . mysql_real_escape_string($pass) . "'";

Code (markup):

for starters, that should help alot.

while the session information is serverside, it is possible to change the cookie id session uses, but unlikey.