Thank you for update ! I'm really appreciated for your time and patience with my English, but I think the truth deserved it. I suggest also to remove misleading sentence: **"SQLite allows bound parameters to appear in an SQL statement anywhere that a literal value is allowed. The values for these parameters are set using the sqlite3_bind_...() family of APIs. "** from: https://sqlite.org/cli.html#sql_parameters because it isn't true for [CLI](https://sqlite.org/cli.html), there no calls to **`sqlite3_bind_...()`** functions before running this: <strong> ``` zSql = sqlite3_mprintf( "REPLACE INTO temp.sqlite_parameters(key,value)" "VALUES(%Q,%s);", zKey, zValue); /* Substitute unsanitazed zValue as */ /* a plain string to %s that might */ /* be an SQL injection */ ``` </strong> As of now, true binding of VALUE to KEY isn't working and lead to dangerous assumption that it is save mechanism that can be used in prepared statements.