Sanitization against SQL Injection for Input going into an Oracle database

Hello I have been working for a while with PHP and MySQL. Now I am working in a PHP-Informix and PHP-Oracle environment. I have always used mysql_real_escape_string for the data going into the database. I am presently working on Informix and Oracle database servers, and am unaware of any escape functions for databases which are to be connected through drivers such as OCI8 or odbc.

Could anybody explain a little about the secur开发者_如何学City measures for these databases.

Don't do sanitization unless you are doing VERY dynamic queries. Parameterized queries are the right way to go. Here's the PHP Documentation which describes how to do this.

Yes, Oracle has bind variables that automatically take care of preventing sql injection. Neat, huh? :) Adam Hawkes uses the PDO library. I personally use oci8 with the oci_bind_by_name function.