it's only a security risk if you don't scrub the data in the URL variable. use htmlentities() to prevent any security issues:
<?php
if (!session_id()) session_start();
if(!isset($_SESSION["affiliateid"])) {
$_SESSION["affiliateid"] = "".htmlentities($_GET['affiliateid'], ENT_QUOTES) ."";
}
?>