I have started coding in wordpress and noticed a weird behaviour; my $_POST were being escaped...although magic quote is turned off. so after some research I found out that WP escapes superglobals even if magic quotes is off (a lot of wp programmers don't seem to be aware of that ... I guess some plugins are probably even vulnerable to sql injection)... Fine but.....
I found out that some core functions expects escaped values and some don't.....
e.g.
wp_insert_post expects all data to be escaped.
wpdb->update/insert/delete expects all data to not to be escaped...
How do I know when to escape and not?? I will not talk about implementations of actions (I guess i would need to dig through each actions and see what core functions it is calling and if i need to escape or not??)
Is there a list/guideline for this? All is so confusing....
I think I miss something (a config?); developing in wp shouldn't be that insecured right?