Thanks. This is it for the most part, but the way argument quoting is handled makes it somewhat problematic. `sqlite3_bind` handles escaping automatically; dumb substitution does not — which is still fine until quotes around arguments are stripped by the parser. Consider this:
```sql
> CREATE TABLE user (id PRIMARY KEY, name TEXT NOT NULL);
Query OK, 0 rows affected
Time: 0.001s
> INSERT INTO user VALUES (1, "dude");
Query OK, 1 row affected
Time: 0.001s
> \fs user_by_name SELECT * FROM user WHERE name = ?
Saved.
Time: 0.001s
> \f user_by_name "dude"
-- SELECT * FROM user WHERE name = dude;
no such column: dude
> \f user_by_name "SELECT"
-- SELECT * FROM user WHERE name = SELECT;
near "SELECT": syntax error
> \f user_by_name "'dude'; DROP TABLE user"
-- SELECT * FROM user WHERE name = 'dude'; DROP TABLE user;
> SELECT * FROM user WHERE name = 'dude'
+----+------+
| id | name |
+----+------+
| 1 | dude |
+----+------+
Time: 0.012s
> DROP TABLE user
Time: 0.001s
```
As you can see, to actually substitute in a string, one needs two levels of quoting — the outer level to defeat mangling by the argument parser, so it's not ideal.
Alternatively, one might suggest saving the query as `SELECT * FROM user WHERE name = '?'`, but that's not valid as a prepared statement anymore; the `'?'` is treated as a string literal, not a parameter that can be bound to.