fix(sqlite): correct parameter binding when mixing sqlc.arg() with bare ?

When a SQLite query uses both sqlc.arg() named parameters and bare ?
placeholders, the generated SQL has numbered ?N for named params but
leaves bare ? unnumbered. SQLite's auto-numbering for bare ? then
conflicts with the explicit ?N values, silently binding arguments to
wrong columns.

Fix by numbering all placeholders sequentially in text order when the
mixed case is detected, ensuring positional argument passing matches
the generated ?N values.

Author: abgoyal

internal/endtoend/testdata/mix_param_types/sqlite/go/db.go

@@ -0,0 +1,5 @@
+CREATE TABLE bar (
+       id integer not null,
+       name text not null,
+       phone text not null
+);

internal/endtoend/testdata/mix_param_types/sqlite/go/models.go

@@ -0,0 +1,12 @@
+{
+  "version": "1",
+  "packages": [
+    {
+      "path": "go",
+      "name": "querytest",
+      "schema": "schema.sql",
+      "queries": "test.sql",
+      "engine": "sqlite"
+    }
+  ]
+}

internal/endtoend/testdata/mix_param_types/sqlite/go/test.sql.go

@@ -0,0 +1,8 @@
+-- name: CountOne :one
+SELECT count(1) FROM bar WHERE id = sqlc.arg(id) AND name <> ?;
+
+-- name: CountTwo :one
+SELECT count(1) FROM bar WHERE id = ? AND name <> sqlc.arg(name);
+
+-- name: CountThree :one
+SELECT count(1) FROM bar WHERE id > ? AND phone <> sqlc.arg(phone) AND name <> ?;

internal/endtoend/testdata/mix_param_types/sqlite/schema.sql

@@ -47,6 +47,14 @@ func (p *ParamSet) Add(param Param) int {
 	return argn
 }
 
+// AddAnonymous allocates the next available parameter position without
+// associating a name. Used for bare ? placeholders that need explicit numbering.
+func (p *ParamSet) AddAnonymous() int {
+	argn := p.nextArgNum()
+	p.positionToName[argn] = ""
+	return argn
+}
+
 // FetchMerge fetches an indexed parameter, and merges `mergeP` into it
 // Returns: the merged parameter and whether it was a named parameter
 func (p *ParamSet) FetchMerge(idx int, mergeP Param) (param Param, isNamed bool) {

internal/endtoend/testdata/mix_param_types/sqlite/sqlc.json

@@ -82,6 +82,18 @@ func NamedParameters(engine config.Engine, raw *ast.RawStmt, numbs map[int]bool,
 	foundFunc := astutils.Search(raw, named.IsParamFunc)
 	foundSign := astutils.Search(raw, named.IsParamSign)
 	hasNamedParameterSupport := engine != config.EngineMySQL
+
+	// SQLite uses numbered ?N for sqlc.arg() but also accepts bare ?. When both
+	// coexist we must number all placeholders in text order so that positional
+	// argument binding matches the generated ?N values.
+	foundBare := astutils.Search(raw, isBareParamRef)
+	hasMixedParams := engine == config.EngineSQLite &&
+		len(foundBare.Items) > 0 &&
+		len(foundFunc.Items)+len(foundSign.Items) > 0
+	if hasMixedParams {
+		numbs = nil
+	}
+
 	allParams := named.NewParamSet(numbs, hasNamedParameterSupport)
 
 	if len(foundFunc.Items)+len(foundSign.Items) == 0 {
@@ -183,10 +195,29 @@ func NamedParameters(engine config.Engine, raw *ast.RawStmt, numbs map[int]bool,
 			})
 			return false
 
+		case hasMixedParams && isBareParamRef(node):
+			ref := node.(*ast.ParamRef)
+			argn := allParams.AddAnonymous()
+			cr.Replace(&ast.ParamRef{
+				Number:   argn,
+				Location: ref.Location,
+			})
+			edits = append(edits, source.Edit{
+				Location: ref.Location - raw.StmtLocation,
+				Old:      "?",
+				New:      fmt.Sprintf("?%d", argn),
+			})
+			return false
+
 		default:
 			return true
 		}
 	}, nil)
 
 	return node.(*ast.RawStmt), allParams, edits
 }
+
+func isBareParamRef(node ast.Node) bool {
+	ref, ok := node.(*ast.ParamRef)
+	return ok && !ref.Dollar
+}