diff --git a/manifest b/manifest
index 2481ee9c33..d196135c97 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Remove\sunnecessary\smemset()\scalls\sfrom\stest\scode.
-D 2013-10-03T11:27:56.219
+C Return\san\serror\sif\san\sattempt\sis\smade\sto\screate\sa\strigger\swith\san\sSQL\svariable\sembedded\swithin\sit.\sIf\ssuch\sa\svariable\sreference\sis\sfound\swithin\sa\strigger\sdefinition\sloaded\sfrom\sthe\ssqlite_master\stable,\ssilently\sreplace\sit\swith\sa\sNULL.
+D 2013-10-03T12:29:38.279
 F Makefile.arm-wince-mingw32ce-gcc d6df77f1f48d690bd73162294bbba7f59507c72f
 F Makefile.in 5e41da95d92656a5004b03d3576e8b226858a28e
 F Makefile.linux-gcc 91d710bdc4998cb015f39edf3cb314ec4f4d7e23
@@ -158,7 +158,7 @@ F sqlite3.1 6be1ad09113570e1fc8dcaff84c9b0b337db5ffc
 F sqlite3.pc.in 48fed132e7cb71ab676105d2a4dc77127d8c1f3a
 F src/alter.c 2af0330bb1b601af7a7789bf7229675fd772a083
 F src/analyze.c d322972af09e3f8debb45f420dfe3ded142b108b
-F src/attach.c 4a2b6a6d9b5f9fd55a8b59488ff7929fef73a195
+F src/attach.c 64859892b2a922c36c936f22dbce40e3c8044749
 F src/auth.c 523da7fb4979469955d822ff9298352d6b31de34
 F src/backup.c 2f1987981139bd2f6d8c728d64bf09fb387443c3
 F src/bitvec.c 19a4ba637bd85f8f63fc8c9bae5ade9fb05ec1cb
@@ -221,7 +221,7 @@ F src/shell.c 5ee50ca3e35453bbd6ccdf1bdd0f6bbe9738e9fb
 F src/sqlite.h.in ec40aa958a270416fb04b4f72210357bf163d2c5
 F src/sqlite3.rc 11094cc6a157a028b301a9f06b3d03089ea37c3e
 F src/sqlite3ext.h 886f5a34de171002ad46fae8c36a7d8051c190fc
-F src/sqliteInt.h 18c7f80e7e23098942436f7286e9c93adc6908be
+F src/sqliteInt.h d759d22c3c4c8e88ccd550c7aa174a190ca768f6
 F src/sqliteLimit.h 164b0e6749d31e0daa1a4589a169d31c0dec7b3d
 F src/status.c 7ac05a5c7017d0b9f0b4bcd701228b784f987158
 F src/table.c 2cd62736f845d82200acfa1287e33feb3c15d62e
@@ -272,7 +272,7 @@ F src/test_vfs.c e72f555ef7a59080f898fcf1a233deb9eb704ea9
 F src/test_vfstrace.c 34b544e80ba7fb77be15395a609c669df2e660a2
 F src/test_wsd.c 41cadfd9d97fe8e3e4e44f61a4a8ccd6f7ca8fe9
 F src/tokenize.c 70061085a51f2f4fc15ece94f32c03bcb78e63b2
-F src/trigger.c 5c0ea9b8755e7c5e1a700f3e27ac4f8d92dd221e
+F src/trigger.c 9e6976b6d67de26bbaabb361f28a90b799d80434
 F src/update.c f5182157f5d0d0a97bc5f5e3c9bdba0dfbe08f08
 F src/utf.c 6fc6c88d50448c469c5c196acf21617a24f90269
 F src/util.c 7f3e35432d6888d1e770c488c35bd98970c44eec
@@ -987,6 +987,7 @@ F test/triggerA.test fe5597f47ee21bacb4936dc827994ed94161e332
 F test/triggerB.test 56780c031b454abac2340dbb3b71ac5c56c3d7fe
 F test/triggerC.test a7b4367392c755bc5fd5fff88011753e6b6afe90
 F test/triggerD.test 8e7f3921a92a5797d472732108109e44575fa650
+F test/triggerE.test 355e9c5cbaed5cd039a60baad1fb2197caeb8e52
 F test/tt3_checkpoint.c 415eccce672d681b297485fc20f44cdf0eac93af
 F test/types.test bf816ce73c7dfcfe26b700c19f97ef4050d194ff
 F test/types2.test 3555aacf8ed8dc883356e59efc314707e6247a84
@@ -1118,7 +1119,7 @@ F tool/warnings-clang.sh f6aa929dc20ef1f856af04a730772f59283631d4
 F tool/warnings.sh fbc018d67fd7395f440c28f33ef0f94420226381
 F tool/wherecosttest.c f407dc4c79786982a475261866a161cd007947ae
 F tool/win/sqlite.vsix 030f3eeaf2cb811a3692ab9c14d021a75ce41fff
-P 8d399a03de63c15908d63ed69140ee15c6275b8d
-R ae588916fdc736be6c4dac87b59614c6
-U drh
-Z 0a2b0d9a2a1e75ecb540daf6b8322ce3
+P eec3187bc68ddebdbc2113f77c7f5cd32e9be61f
+R bcf82dacad10da610aa03ba9f5dccbf3
+U dan
+Z 81b7035f34aeb81458a978a9137553b8
diff --git a/manifest.uuid b/manifest.uuid
index 4e5fe560a3..164a10954b 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-eec3187bc68ddebdbc2113f77c7f5cd32e9be61f
\ No newline at end of file
+f35f6ae3da77dbdf5f7a4a9927475659fc6e0ca6
\ No newline at end of file
diff --git a/src/attach.c b/src/attach.c
index 805305dab6..7cefe252ff 100644
--- a/src/attach.c
+++ b/src/attach.c
@@ -430,7 +430,7 @@ int sqlite3FixInit(
 ){
   sqlite3 *db;
 
-  if( NEVER(iDb<0) || iDb==1 ) return 0;
+  if( NEVER(iDb<0) ) return 0;
   db = pParse->db;
   assert( db->nDb>iDb );
   pFix->pParse = pParse;
@@ -438,6 +438,7 @@ int sqlite3FixInit(
   pFix->pSchema = db->aDb[iDb].pSchema;
   pFix->zType = zType;
   pFix->pName = pName;
+  pFix->bVarOnly = (iDb==1);
   return 1;
 }
 
@@ -466,15 +467,17 @@ int sqlite3FixSrcList(
   if( NEVER(pList==0) ) return 0;
   zDb = pFix->zDb;
   for(i=0, pItem=pList->a; i<pList->nSrc; i++, pItem++){
-    if( pItem->zDatabase && sqlite3StrICmp(pItem->zDatabase, zDb) ){
-      sqlite3ErrorMsg(pFix->pParse,
-         "%s %T cannot reference objects in database %s",
-         pFix->zType, pFix->pName, pItem->zDatabase);
-      return 1;
+    if( pFix->bVarOnly==0 ){
+      if( pItem->zDatabase && sqlite3StrICmp(pItem->zDatabase, zDb) ){
+        sqlite3ErrorMsg(pFix->pParse,
+            "%s %T cannot reference objects in database %s",
+            pFix->zType, pFix->pName, pItem->zDatabase);
+        return 1;
+      }
+      sqlite3DbFree(pFix->pParse->db, pItem->zDatabase);
+      pItem->zDatabase = 0;
+      pItem->pSchema = pFix->pSchema;
     }
-    sqlite3DbFree(pFix->pParse->db, pItem->zDatabase);
-    pItem->zDatabase = 0;
-    pItem->pSchema = pFix->pSchema;
 #if !defined(SQLITE_OMIT_VIEW) || !defined(SQLITE_OMIT_TRIGGER)
     if( sqlite3FixSelect(pFix, pItem->pSelect) ) return 1;
     if( sqlite3FixExpr(pFix, pItem->pOn) ) return 1;
@@ -497,9 +500,21 @@ int sqlite3FixSelect(
     if( sqlite3FixExpr(pFix, pSelect->pWhere) ){
       return 1;
     }
+    if( sqlite3FixExprList(pFix, pSelect->pGroupBy) ){
+      return 1;
+    }
     if( sqlite3FixExpr(pFix, pSelect->pHaving) ){
       return 1;
     }
+    if( sqlite3FixExprList(pFix, pSelect->pOrderBy) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pSelect->pLimit) ){
+      return 1;
+    }
+    if( sqlite3FixExpr(pFix, pSelect->pOffset) ){
+      return 1;
+    }
     pSelect = pSelect->pPrior;
   }
   return 0;
@@ -509,6 +524,14 @@ int sqlite3FixExpr(
   Expr *pExpr        /* The expression to be fixed to one database */
 ){
   while( pExpr ){
+    if( pExpr->op==TK_VARIABLE ){
+      if( pFix->pParse->db->init.busy ){
+        pExpr->op = TK_NULL;
+      }else{
+        sqlite3ErrorMsg(pFix->pParse, "%s cannot use variables", pFix->zType);
+        return 1;
+      }
+    }
     if( ExprHasProperty(pExpr, EP_TokenOnly) ) break;
     if( ExprHasProperty(pExpr, EP_xIsSelect) ){
       if( sqlite3FixSelect(pFix, pExpr->x.pSelect) ) return 1;
diff --git a/src/sqliteInt.h b/src/sqliteInt.h
index 4a52b64f62..d57e81e949 100644
--- a/src/sqliteInt.h
+++ b/src/sqliteInt.h
@@ -2414,6 +2414,7 @@ typedef struct DbFixer DbFixer;
 struct DbFixer {
   Parse *pParse;      /* The parsing context.  Error messages written here */
   Schema *pSchema;    /* Fix items to this schema */
+  int bVarOnly;       /* Check for variable references only */
   const char *zDb;    /* Make sure all objects are contained in this database */
   const char *zType;  /* Type of the container - used for error messages */
   const Token *pName; /* Name of the container - used for error messages */
diff --git a/src/trigger.c b/src/trigger.c
index b901d07678..bc31ba86a2 100644
--- a/src/trigger.c
+++ b/src/trigger.c
@@ -291,8 +291,10 @@ void sqlite3FinishTrigger(
   }
   nameToken.z = pTrig->zName;
   nameToken.n = sqlite3Strlen30(nameToken.z);
-  if( sqlite3FixInit(&sFix, pParse, iDb, "trigger", &nameToken) 
-          && sqlite3FixTriggerStep(&sFix, pTrig->step_list) ){
+  if( sqlite3FixInit(&sFix, pParse, iDb, "trigger", &nameToken) && (
+      sqlite3FixTriggerStep(&sFix, pTrig->step_list) 
+   || sqlite3FixExpr(&sFix, pTrig->pWhen) 
+  )){
     goto triggerfinish_cleanup;
   }
 
diff --git a/test/triggerE.test b/test/triggerE.test
new file mode 100644
index 0000000000..e2727bbdcb
--- /dev/null
+++ b/test/triggerE.test
@@ -0,0 +1,112 @@
+# 2009 December 29
+#
+# The author disclaims copyright to this source code.  In place of
+# a legal notice', here is a blessing:
+#
+#    May you do good and not evil.
+#    May you find forgiveness for yourself and forgive others.
+#    May you share freely, never taking more than you give.
+#
+#***********************************************************************
+#
+# This file tests the effects of SQL variable references embedded in
+# triggers. If the user attempts to create such a trigger, it is an
+# error. However, if an existing trigger definition is read from
+# the sqlite_master table, the variable reference always evaluates
+# to NULL.
+#
+
+set testdir [file dirname $argv0]
+source $testdir/tester.tcl
+ifcapable {!trigger} {
+  finish_test
+  return
+}
+set testprefix triggerE
+
+do_execsql_test 1.0 {
+  CREATE TABLE t1(a, b);
+  CREATE TABLE t2(c, d);
+  CREATE TABLE t3(e, f);
+}
+
+# forcedelete test.db2
+# do_execsql_test 1.1 {
+#   ATTACH 'test.db2' AS aux;
+#   CREATE TABLE aux.t4(x);
+#   INSERT INTO aux.t4 VALUES(5);
+# 
+#   CREATE TRIGGER tr1 AFTER INSERT ON t1 WHEN new.a IN (SELECT x FROM aux.t4)
+#   BEGIN
+#     SELECT 1;
+#   END;
+# } 
+# do_execsql_test 1.2 { INSERT INTO t1 VALUES(1,1); }
+# do_execsql_test 1.3 { INSERT INTO t1 VALUES(5,5); }
+
+#-------------------------------------------------------------------------
+# Attempt to create various triggers that use bound variables.
+#
+set errmsg "trigger cannot use variables"
+foreach {tn defn} {
+  1 { AFTER INSERT ON t1 WHEN new.a = ? BEGIN SELECT 1; END; }
+  2 { BEFORE DELETE ON t1 BEGIN SELECT ?; END; }
+  3 { BEFORE DELETE ON t1 BEGIN SELECT * FROM (SELECT * FROM (SELECT ?)); END; }
+  5 { BEFORE DELETE ON t1 BEGIN SELECT * FROM t2 GROUP BY ?; END; }
+  6 { BEFORE DELETE ON t1 BEGIN SELECT * FROM t2 LIMIT ?; END; }
+  7 { BEFORE DELETE ON t1 BEGIN SELECT * FROM t2 ORDER BY ?; END; }
+  8 { BEFORE UPDATE ON t1 BEGIN UPDATE t2 SET c = ?; END; }
+  9 { BEFORE UPDATE ON t1 BEGIN UPDATE t2 SET c = 1 WHERE d = ?; END; }
+} {
+  catchsql {drop trigger tr1}
+  do_catchsql_test 1.1.$tn "CREATE TRIGGER tr1 $defn" [list 1 $errmsg]
+  do_catchsql_test 1.2.$tn "CREATE TEMP TRIGGER tr1 $defn" [list 1 $errmsg]
+}
+
+#-------------------------------------------------------------------------
+# Test that variable references within trigger definitions loaded from 
+# the sqlite_master table are automatically converted to NULL.
+#
+do_execsql_test 2.1 {
+  PRAGMA writable_schema = 1;
+  INSERT INTO sqlite_master VALUES('trigger', 'tr1', 't1', 0,
+    'CREATE TRIGGER tr1 AFTER INSERT ON t1 BEGIN 
+        INSERT INTO t2 VALUES(?1, ?2); 
+     END'
+  );
+
+  INSERT INTO sqlite_master VALUES('trigger', 'tr2', 't3', 0,
+    'CREATE TRIGGER tr2 AFTER INSERT ON t3 WHEN ?1 IS NULL BEGIN
+        UPDATE t2 SET c=d WHERE c IS ?2;
+     END'
+  );
+}
+db close
+sqlite3 db test.db
+
+do_execsql_test 2.2.1 {
+  INSERT INTO t1 VALUES(1, 2);
+  SELECT * FROM t2;
+} {{} {}}
+do_test 2.2.2 {
+  set one 3
+  execsql {
+    DELETE FROM t2;
+    INSERT INTO t1 VALUES($one, ?1);
+    SELECT * FROM t2;
+  }
+} {{} {}}
+do_execsql_test 2.2.3 { SELECT * FROM t1 } {1 2 3 3}
+
+do_execsql_test 2.3 {
+  DELETE FROM t2;
+  INSERT INTO t2 VALUES('x', 'y');
+  INSERT INTO t2 VALUES(NULL, 'z');
+  INSERT INTO t3 VALUES(1, 2);
+  SELECT * FROM t3;
+  SELECT * FROM t2;
+} {1 2 x y z z}
+
+finish_test
+
+