No, You need to validate for every query that you run on the db. You should validate SELECT queries too.

E.G. They set email to:
'; UPDATE table SET access = 9999999 WHERE email='myemail

I think your validation is a little excessive, the strip_tags and htmlspecialchars kinda contradict each other, don't you think? (you're not going to have any html tags after you do htmlspecialchars).

If you have magic quotes enabled, you can just do:
mysql_real_escape_string(strip_slashes($_GET['sess_id']))

If you don't have magic_quotes enabled, you can just do mysql_real_escape_string();

I never use mysql_real_escape string because I have magic_quotes enabled, and I validate anything that's not going into quotes in my query to make sure it's an integer

Magic quotes does not protect against SQL injection. As it is not multibyte safe.

Have a google for "multibyte SQL \ injection".

The widely-used practice of escaping ASCII single quote "'" by turning it into "\'" is unsafe when operating in multibyte encodings that allow 0x5c (ASCII code for backslash) as the trailing byte of a multibyte character;

So magic quotes offer almost no protection and are annoying as you have to remove them before you echo any output. That may be why they have been removed from PHP 6...

So as said in the mysql_real_escape_string [uk3.php.net] manual:

Escapes special characters in the unescaped_string , taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.
...
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

One exception I can think of is numeric data where you have checked that with a function like is_numeric.

So this is all I need to ensure no one can hack my site through my forms:

strip_tags(htmlspecialchars($myresult));

Am I understanding you guys correctly?

No, I would do:
mysql_real_escape_string(stripslashes($myresult));