Prepared statement parameterization failure on multiple-item inserts

[jaysonlarose]

Hello,

I just ran into this issue when trying to insert a large amount of rows into an rqlite database using multiple-item INSERTs.

Example code:

#!/usr/bin/env python3

import pyrqlite.dbapi2

if __name__ == '__main__':
	con = pyrqlite.dbapi2.connect(host="127.0.0.1", port=4001)
	cur = con.cursor()
	cur.execute("CREATE TABLE bug_demonstration (id INT UNSIGNED PRIMARY KEY, name TEXT)")
	con.commit()
	cur.execute("INSERT INTO bug_demonstration (name) VALUES (?), (?)", ['why am I being seen as a substitution token?', "little bobby tables sends his regards"])

When run against a stock rqlite server compiled from the current GitHub code and run in a completely vanilla fashion (rqlited bug_database), I get the following error:

{"error": "near \"little\": syntax error"}
Traceback (most recent call last):
  File "pyrqlite_bug.py", line 10, in <module>
    cur.execute("INSERT INTO bug_demonstration (name) VALUES (?), (?)", ['why am I being seen as a substitution token?', "little bobby tables sends his regards"])
  File "/usr/local/lib/python3.6/dist-packages/pyrqlite-HEAD-py3.6.egg/pyrqlite/cursors.py", line 178, in execute
sqlite3.Error: {"error": "near \"little\": syntax error"}

I used Wireshark to investigate the request coming down the line, which looked like this:

POST /db/execute?transaction HTTP/1.1
Host: 127.0.0.1:4001
Accept-Encoding: identity
Content-Length: 139
Content-Type: application/json

["INSERT INTO bug_demonstration (name) VALUES ('why am I being seen as a substitution token'little bobby tables sends his regards''), (?)"]

I figured it'd be a good idea to report this, as any parameterization or data-escaping errors have serious security implications.

Cheers, --Jays

[zmedico]

@davidc0le the issue reported is from things like this in https://github.com/rqlite/pyrqlite/pull/25:

            for i in range(len(parameters)):
                operation = operation.replace('?',