SQLite Forum

Feature request: implement .parameter bind KEY VALUE in sqlite3 CLI (shell)
It would be very useful for those who using sqlite3 CLI program as a mechanism/frontend/TUI to access databases.

As of now users of *sqlite3* CLI/shell should take care about supplied data from external resources and be responsible for data sanitation to prevent SQL injection.

Current .dot command "**.parameter set**" is not true key/value binding feature that can be used as a mechanism to prevent SQL injection, that's why I suggesting to implement new .dot command.

Proposal is to implement new .dot command **`.parameter bind KEY VALUE`** , where **`VALUE`** can be anything, including un-escaped quotes, so it can be safely used later in prepared statements.

To avoid "escaping hell" with supplied **VALUE**, I suggest to accept **VALUE** as raw bytes content on the right side of command, after first space that follows **KEY** and up to the end of line or up to first 0x00 byte.

If it going to be implemented, it will be also very useful, if **`VALUE`** in the proposed .dot command will support **`.read`** command, that can be distinct from proposed one as:

**`.parameter bindfile KEY FILE`**


**`.parameter bindblob KEY FILE`**

by utilizing existing code of **`.read`** command.