> It is, in fact, documented: This documentation applied to ALL .dot commands where `.parameter` just one of them. Particular [description of '.parameter' command](https://sqlite.org/cli.html#sql_parameters) lead me to believe base on > SQLite allows bound parameters to appear in an SQL statement anywhere that a literal value is allowed. The values for these parameters are set using the sqlite3_bind_...() family of APIs. so basically it is 'prepared statement', but since sqlite3 shell stripping quotes before passing value to sqlite engine we having described here issue. > One way might be to add a third way of quoting to dot-commands: For example, if white space is followed by a # character, the rest of the intput line would be taken verbatim as the final argument (choice of trigger character subject to debate, of course). No, I don't think # or other "quoting" rules would work. # or something else can be user supplied data and then again we will step on the same "quoting" issue. > Hmm, I thought it was just a convenient way to store a value that you might want to use repeatedly. I think prepared statement is much better and secure that simply passing user's data directly using insert I believe the trap I fall into, is because I believed in the word "parameter" and looking documentation that stated that value of this .dot command passed to `sqlite3_prepare()` function. The only solution I see would work is to take all right hand content after first space, just after parameter name and up to end of line and pass it to sqlite3_prepare() as is.