This is safe. If you dont feel safe, it only has characters and integers, you can easily test it is a md5 string (see example below). But again, there is no need for all of that.
An alternative would be prepared statements. They're a bit more complex, but safe:
$stmt = $mysqli->prepare("INSERT INTO test(id) VALUES (?)");
$stmt->bind_param("s", 'a1b2c3'); // s stands for String, i would be Integer
$stmt->execute();
This is a very simplefied example, the url above the codeblock explains more. Keep in mind that prepared statement have a overhead! doing this for 1 excecution per query will slow things down.
Small example to check if a string could be a md5 hash:
function isMd5($string){
/// md5 strings are 32chars* long. Simple test, do that first:
if( strlen($string)!==32){ return false; }
// It only has chars (A-F) and integers, if any other character->not md5
elseif( preg_match("^[0-9a-f]", $string) ){ return false; }
// No errors, return true:
return true;
}
// *rawmode ha 16 chars, but when you work with that, you'll know
This is not a very usefull function, because it will not really secure a lot, this is just to show you how you can verify info. You read the documentation to see the results, and make checks to test if it matches possible results.