Please look at the codes below:
$username = $_POST['username'];
$_SESSION['user_name'] = $username;
Do I have to use mysql_real_escape_string() function while I'm setting $username value too? Is there any threat here if I don't?
Attention: I used PDO while I want to work with MySQL.
No, you do not need to escape it in any way there. You only need to escape text if you are concatenating it with other text where certain characters may have a special meaning. See The Great Escapism (Or: What You Need To Know To Work With Text Within Text).