That "really tricky" method may open a pathway for an SQL injection attack. When the "variables" appear within a brace-delimited query or DDL, '$'-prefixed identifiers become SQL parameters and are substituted with like-named TCL variable values via sqlite3_bind_*() calls by the SQLite TCL implementation of its eval subcommand. This is safer and (as Gerry notes) likely to be faster also.