There are multiple ways of hacking. The first is when an actual (or fake) user is trying to find gaps in your software to try to damage your server. You will need the escaping and input checking to prevent SQL injection to work around this.

The (or ‘an’) other is a hacker that tries to steal a session to impersonate another user. This allows them to reach (and change) data they are not entitled to.

SQL injection is fixed by using mysql_real_escape_string. When use use that and use it right, there is no need to be afraid of SQL injection. There is no need to prepend random characters to table names. This will make your programming harder while not providing a real additional safety.
You could also use mysqli and parameterized queries, which don’t have this problem at all. mysqli takes care of the escaping for you. Theoretically, parameterized queries could even run faster, because the queries can be more efficiently cached. In practise, however, this is not the case. It is only since MySQL 5.2 that these queries are cached at all, but still not as efficient as could be. That is however nothing to worry about right now. Any solution will proably perform well enough for you right now.

One thing you shouldn’t do -ever- is allowing PHP code in user generated content. If you allow users to type PHP, you will allow them to break your application and possibly modify your database. Also, when a hacker manages to impersonate a user/content editor, he gets a complete toolbox for free when you allow the content to contain PHP.

To prevent sessions from being hyjacked, I think it is best to use SSL. If you don’t want to server all your pages via SSL, you could choose to save a session in cookies, but demand a relogin (using SSL) whenever important changes are done.