and in addition to this... if you're especially paranoid, you may want to make a function to replace any embedded quotes with quote images (e.g. replace "'" with "''") and call it in the statement where you construct the SQL statement -- just in case (to avoid SQL injection problems).
THISFORM.combo2.ROWSOURCE=[select nombres from alumnos where nombres LIKE "] + STRTRAN(Nom,"'","''") + [" into cursor listnom]
Of course this might depend on if the query is interpreted by VFP directly or if it simply gets passed to the SQL backend. If it gets passed to the SQL backend, you could get a nasty suprise. Consider the possiblity of what would happen if:
Nom = "'; drop table alumnos;"
Précédent
Suivant
Répondre
Voir le fil de ce thread
Voir le fil de ce thread à partir de ce message seulement
Voir tous les messages de ce thread
Voir tous les messages de ce thread à partir de ce message seulement