While technically true, note that using `-cmd` forces the same sort of string substitution that make security-conscious folks very nervous indeed, and can fail even if security were not a concern. For instance, strings with embedded single quotes break `.param` if not passed in a somewhat non-obvious way: ```sh $ sqlite3 -cmd ".param set :name 'Bobby's Tavern'" :memory: 'select * from sqlite_parameters' .parameter CMD ... Manage SQL parameter bindings clear Erase all bindings init Initialize the TEMP table that holds bindings list List the current parameter bindings set PARAMETER VALUE Given SQL parameter PARAMETER a value of VALUE PARAMETER should start with one of: $ : @ ? unset PARAMETER Remove PARAMETER from the binding table Error: no such table: sqlite_parameters # How about the standard SQL practice of doubling internal quotes? $ sqlite3 -cmd ".param set :name 'Bobby''s Tavern'" :memory: 'select * from sqlite_parameters' .parameter CMD ... Manage SQL parameter bindings clear Erase all bindings init Initialize the TEMP table that holds bindings list List the current parameter bindings set PARAMETER VALUE Given SQL parameter PARAMETER a value of VALUE PARAMETER should start with one of: $ : @ ? unset PARAMETER Remove PARAMETER from the binding table Error: no such table: sqlite_parameters # OK, will double quotes work? $ sqlite3 -cmd ".param set :name \"Bobby's Tavern\"" :memory: 'select * from sqlite_parameters' :name|Bobby's Tavern ``` And if the string you want to substitute contains both single and double quotes? Have fun. With my hypothetical `-param`, strings with pretty much any content can be passed safely to your SQLite queries: ``` sqlite3 -param :name "Bobby's Tavern" ... sqlite3 -param '$quote' "\"I'm full,\" said Jane." ... ```