In Postgresql the db_* commands extract the "bind" variables and SQL quote them automatically. In the PG driver itself the [] charactaers are escaped as well for safety.
This means that the effective security of PostgreSQL is the same as Oracle.
This is done at the database api layer.
In addition ad_page_contract has filters and validation features to check input. ad_form and the form builder also have validation features for input.