SQLite bind arguments - are they restricted to the WHERE clause only?

Question

Up to now I've been trying a lot of times to bind SQLite selection arguments in queries like the best practices suggest. But it rarely worked. I'm curious about the exact reason. Now I realized that it may be caused by the sub-queries in the FROM clause. For example...

SELECT X(result) as x, Y(result) as y, Z(result) as z FROM (select Transform(MakePointZ(?, ?, 0.0, ?), ?) as result);

and the Java code is something like...

double x, y, z;
int source, target;
final String[] selectionArgs = new String[] { 
                    String.valueOf(x),
                    String.valueOf(y), 
                    String.valueOf(z), 
                    String.valueOf(source), 
                    String.valueOf(target) };
Cursor c = db.rawQuery(sql, selectionArgs);

Could someone confirm if using arguments outside the WHERE clause is error or explain me where the arguments are fine to be placed?

P.s. I actually use Spatialite which is an extension to SQLite but it is based on a pure and untouched SQLite.

Answer 1

Parameters can be used in any place where a literal value is allowed; your SQL query itself looks fine.

However, the Android database API forces you to use string parameters, so all parameter values will be seen as strings by the database. This will make many comparisons fails, or break other operations done on these values.

Parameters are most important for strings, where formatting problems and SQL injection attacks are possible. For plain numbers, you could just insert them directly into the SQL string. Alternatively, convert the string values back into numbers in the database:

MakePointZ(CAST(? AS REAL), CAST(? AS REAL), ...)

Answer 2

Could someone confirm if using arguments outside the WHERE clause is error or explain me where the arguments are fine to be placed?

? substitution works wherever a literal is valid.

In your example code, the number of ? placeholders and bind arguments don't match and that will cause an exception.