R =
R has separate interfaces for different databases, with different capabilities for each. RSQLite supports parameterized.
con <- dbConnect(SQLite(), ":memory:")
# Use dbSendPreparedQuery/dbGetPreparedQuery for "prepared" queries
dbGetPreparedQuery(con, "SELECT * FROM arrests WHERE Murder < ?",
data.frame(x = 3))
dbDisconnect(con)
But other interfaces, such as RMySQL do not allow parameterizations.
The database drivers for R are in process of being brought together under DBI, so it is possible this will change in the future.