>>Mike,
>>
>>You are deluding yourself if you think that ?x is
less susceptible to SQL injection attacks.
>>
>>It's a fairly high cost in the overhead of VFP communicating parameters to ODBC, compositing the SQL string yourself runs quite a bit faster.
>
>I doubt VFP is passing parameters to ODBC - I think it's just preprocessing the string from "xxxx xxxx xxxx ?y xxx" to become something like
>
@var1='content of y'
>xxxx xxxx xxxx @var1 xxx
>and then passing that string to ODBC. And I think VFP composes it faster than we could.
In fact VFP passes parameters to SQL Server. When you use something like:
par1 = 1
SQLEXEC(sqlH,[SELECT .... FROM .... WHERE someFld = ?m.par1])
The actual command passed to SQL Server is:
exec sp_executesql N'SELECT .... from .... WHERE someFld = @P1 ',N'@P1 float',1
Against Stupidity the Gods themselves Contend in Vain - Johann Christoph Friedrich von Schiller
The only thing normal about database guys is their tables.