>Thanks, Mike!
>
>In this particular example, even concatenating a simple SQL Select is risky if a hacker can mess with the lcCompany variable.
Yes. *IF*
>If lcCompany is set to
JJ union (select * from mytable) then concatenating that into a SQL string will include all the records in mytable.
>
>IMHO the best response is to use Name expression as proposed by Sergey:
>
>
Select * from ("d:\demo\pro73b\sampledata\" + ALLTRIM(lcfile) + ALLTRIM(lcCompany))
>
>Not possible to inject that.