Hello,
I am wondering if wordpress' insert function also adds slashes to data. If it doesn't it would seem that the prepare query method would be better to prevent against SQL injection. I tried looking the issue up in there codex/api; however, it seems undocumented. Thanks!
Wordpress uses ezSQL to query the database. Technically, it is not an abstraction layer but it does take away some of the boilerplate code. ezSQL has a function escape so I assume that Wordpress would always call the escape function before executing a query. But to be certain you would have to take a look at the source code.
This is how you escape a string in Wordpress:
$safe_string = $wpdb->escape($unsafe_string);