Thank you for update !
I'm really appreciated for your time and patience with my English, but I think the truth deserved it.
I suggest also to remove misleading sentence:
**"SQLite allows bound parameters to appear in an SQL statement anywhere that a literal value is allowed. The values for these parameters are set using the sqlite3_bind_...() family of APIs. "**
from: https://sqlite.org/cli.html#sql_parameters
because it isn't true for [CLI](https://sqlite.org/cli.html), there no calls to **`sqlite3_bind_...()`** functions before running this:
<strong>
```
zSql = sqlite3_mprintf(
"REPLACE INTO temp.sqlite_parameters(key,value)"
"VALUES(%Q,%s);", zKey, zValue); /* Substitute unsanitazed zValue as */
/* a plain string to %s that might */
/* be an SQL injection */
```
</strong>
As of now, true binding of VALUE to KEY isn't working and lead to dangerous assumption that it is save mechanism that can be used in prepared statements.