On Mon, 9 Mar 2015 17:59:33 +0100
Fabian Stumpf <fjstumpf at gmail.com> wrote:
> I am currently using
> > ATTACH DATABASE ? AS ?;
> to dynamically attach databases to a connection.
> In some cases, the same physical database file is attached under
> different names.
>
> This all seems to work perfectly, although the documentation for the
> ATTACH statement specifies the name as type "database-name", not as
> "expr", so I'm not sure if specifying a bind parameter is "legal".
I don't have a definitive answer for you, just a way to think about
it.
Parameterized queries in general let you replace any data value
(and not metadata). For instance, you can replace a column value, but
not a column name. Using that as a guide, I'm a little suprised that
ATTACH DATABASE ? AS ?
works, because the second parameter is metadata. But I would expect
ATTACH DATABASE ? AS db;
to be valid.
So IMO you've been lucky so far, but the filename is fair game for
parameterization.
--jkl
