Dmitry,
Before you decide exactly how to do this, google
SQL Injection. Any time you use string concatenation to create SQL, you create an opportunity for hackers to cause mischief.
Example:
lcsql="select * from mysqltable where mykey='"+m.lcparameter+"'"
Looks as if this will pull just record/s that match the parameter, right?
But if a hacker can set lcparameter to something like
dummy' or 'hello' = 'hello then here is what will execute:
select * from mysqltable where mykey='dummy' or 'hello' = 'hello'
Not quite what you had in mind, right? ;-) Even worse if they can do this for updates!
Where possible, embed ?parameters using questionmarks in your client-side SQL. Parameterized SQL is then created that resists injection because values are transmitted to SQL Server as separate variables that cannot execute. You can do this very easily using parameters in SPT or a Remote View (where it happens automatically if you use ? parameters) or you can write your own Stored Procedure to achieve the same.
"... They ne'er cared for us
yet: suffer us to famish, and their store-houses
crammed with grain; make edicts for usury, to
support usurers; repeal daily any wholesome act
established against the rich, and provide more
piercing statutes daily, to chain up and restrain
the poor. If the wars eat us not up, they will; and
there's all the love they bear us."
-- Shakespeare: Coriolanus, Act 1, scene 1
