>>Mike,
>>
>>You are deluding yourself if you think that ?x is
less susceptible to SQL injection attacks.
>>
>>It's a fairly high cost in the overhead of VFP communicating parameters to ODBC, compositing the SQL string yourself runs quite a bit faster.
>
>I doubt VFP is passing parameters to ODBC - I think it's just preprocessing the string from "xxxx xxxx xxxx ?y xxx" to become something like
>
@var1='content of y'
>xxxx xxxx xxxx @var1 xxx
>and then passing that string to ODBC. And I think VFP composes it faster than we could.
David is correct. VFP is passing parameters to ODBC.
--sb--