There are so many answers for PHP and MySQL, but here is code for PHP and Oracle for preventing SQL injection as well as regular use of oci8 drivers:
$c$conn = oci_connect($userName$username, $password, "(DESCRIPTION=(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST =$serverName)(PORT = 1521)))(CONNECT_DATA=(SID=$databaseName)))"$connection_string);
$strQuery$stmt = "UPDATEoci_parse($conn, 'UPDATE table SET field = :xx WHERE ID = 123"
$stmt = OCIParse($c, $strQuery123');
OCIBindByNameoci_bind_by_name($stmt, ':xx', $fieldval);
$ok = OCIExecuteoci_execute($stmt);