The short answer is: use whatever mechanism your connection libraries provide, it really has nothing to do with the database. If you're using ADO, you have parameterized queries, if you're using something else (I know nothing about PHP) then use whatever that library offers.
Rolling your own is probably a bad idea, because you're very likely to get something wrong, e.g. handling comment delimiters correctly.
