>Mike,
>
>You are deluding yourself if you think that ?x is less susceptible to SQL injection attacks.

You're welcome to show me how to injection sql into a parameterized query.

>
>It's a fairly high cost in the overhead of VFP communicating parameters to ODBC, compositing the SQL string yourself runs quite a bit faster.
>
>>I would never consider testing that. If MDOT ;) lnPercentage came directly from the user, that would be the dictionary definition of a SQL Injection Attack. Passing the value as a parameter excludes the injection attack.
>>
>>I thought passing the parameter in both cases validated the test by keeping the two processes more alike. Agreed?