You can use parameters in VFP as well

lcPassword = "&" + "&ETC    "
SELECT Numero AS PrimaryKey,Session FROM Member WHERE UPPER(Username)="SOMETHING" AND UPPER(Password)=?lcPassword

Or you'll have to do something like

lcPassword = "&" + "&ETC    "
lcDA =  "&" + "&"
? ["] + STRTRAN(lcPassword, lcDA, [" + "&" + "&" + "]) + ["]

>What is sad about this is that it means wherever we have such a search where the data comes from a table or from something the user entered, we would have to do a STRTRAN() in order to make sure it will always work. Assuming the user would enter something like that, it would fail.
>
>However, when doing the same SQL, by the use of VFPOleDB, from the .NET environment, as I always use a parameterized approach, this should not happen.