R has separate interfaces for different databases, with different capabilities for each. RSQLite supports parameterized.
con <- dbConnect(SQLite(), ":memory:") # Use dbSendPreparedQuery/dbGetPreparedQuery for "prepared" queries dbGetPreparedQuery(con, "SELECT * FROM arrests WHERE Murder < ?", data.frame(x = 3)) dbDisconnect(con)
But other interfaces, such as RMySQL do not allow parameterizations.
The database drivers for R are in process of being brought together under DBI, so it is possible this will change in the future.