Your code works fine for me.
It returns:
---
Warning: oci_execute() [function.oci-execute.html]: OCIStmtExecute: ORA-00900: invalid SQL statement in /www/index.php on line 27

Fatal error: Uncaught exception 'DatabaseException' with message '[] Can't execute query. ' in /www/index.php:31 Stack trace: #0 {main} thrown in /www/index.php on line 31
---

>oci_parse() - Validates the SQL statement. However this always returns true so it can't be trusted.
no, this is not true.
it does return false, if something went wrong.

>...and then use oci_error() to get the error, you don't get the error string it outputs to the screen.

Please, re-check it twice.
This is false too.

And, please, provide more information about your system.
What version of Oracle & Oracle client do you use?

Check your output.

1) The error was first detected by oci_execute(). oci_parse() didn't detect the errornous SQL string.
2) Where is the oracle error message in the exception? I need that info for debugging.

Aha, now I see...
It seems to me, that our manual lies about validation.

That's what OCI docs say about oci_parse (OciStmtPrepare() indeed):
--
An application requests a SQL or PL/SQL statement to be prepared for execution using the OCIStmtPrepare() call and passing it a previously allocated statement handle. This is a completely local call, requiring no round trip to the server.
--

oci_parse will return false only if there is some problems with oracle connection.
The only way to validate query is to execute it.

So, I need to change the documentation.
Right?

Not only the documentation.
See my #2.

-----

2) Where is the oracle error message in the exception? I need that info
for debugging.

-----

If you look in the exception you get:

-----------------------
Fatal error: Uncaught exception 'DatabaseException' with message '[]
Can't execute query. ' in /www/index.php:31 Stack trace: #0 {main}
thrown in /www/index.php on line 31
--------------------------------

The oracle error message and code is not included in the exception. 
Even though in the code it threw the exception with the following statement:
throw new DatabaseException("[".$aError['code']."] Can't execute
query. ".$aError['message']);	
The only way to grab the oracle error is to set up a custom error handler. You can't use oci_error() to retrieve it.

you need to pass $stmt to oci_error(); in this case.
so, your code will look like this:
<?

/* ... */
$query = 'XYZZYX'; /* Invalid SQL string */

$stmt = oci_parse($this->connection, $query);

$return = @oci_execute($stmt);

if($return === FALSE)
{
    $aError = oci_error($stmt); //$stmt here
    throw new DatabaseException("[".$aError['code']."] Can't execute
query. ".$aError['message']);
}

?>

Requalifying as documentation problem and assigning to myself..

Just checked it out.
It seems your right. 
It's a documentation problem only. But still enough to confuse some people. :)
You already confused me by changing all the function names a few weeks ago.

You can use old names as well.
They are still available as aliases of new functions.

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.