For get and post variables, I escape them before putting them in Sql queries. Is escaping safe enough?
PHP's escaping functions are bad. They're so bad they had to deprecate mysql_escape_string and rename it mysql_real_escape_string, then they had to further deprecate that and rename it "mysqli_real_escape_string". If you're not using that last function, it is definitely not safe enough. You're probably better off using prepared statements, since it's the least crufty API.
Additionally, you need to escape content depending on how you're using it. For example, if you're taking user input and outputting into an HTML document, you need to escape the data to prevent XSS attacks.
If you have any user based actions you need to make sure you're protecting against CSRF attacks using a token. Also, for user accounts, make sure you're handling passwords correctly.
Your site is
not secure if you have a valid HTTPS certificate. HTTPS only protects you against MITM attacks. While it is good to have, you shouldn't feel like you're safe because you have it. The main point of failure is always going to be your code, so make sure you're familiar with security best practises.