Are you sure?
Evidently I wasn't. Thanks for doing the research. Documentation on SQL is a maze of twisty web pages, all different.
I emphatically disagree. IMO, the DSL is another layer that lies
on top of the underlying DBI. The DBI layer *must* have a way to
separate SQL queries from parameters.
Parameters are slightly better than no parameters, but anonymous parameters are extremely easy to get wrong, passing the wrong string to the wrong thing (I have certainly done this), plus the need to pass the same value twice if your statement needs it twice. If named parameters were pervasive, I'd say "use them", but we know they aren't. "?" isn't actually part of SQL AFAICT, and there are probably databases that don't support even that.
I agree that the DSL is a separate layer. But between quasiquotation, which is Lisp's far superior equivalent to named parameters, and the ability to do SQL string escaping in just one place, I think it serves as a more-than-satisfactory replacement for question marks. If you don't use the DSL, you've already shot yourself in the foot, but nothing will prevent dumb programmers from using string-append (or equivalent), except the fact that dumb programmers don't generally wind up using Scheme. We hope.