>>>>Hello all. Another noob question.
>>>>I have 2 fields. One is a text box, the other a combo box.
>>>>The LOST FOCUS property of the text box assigns its value to a xVariable
>>>>Then it populates (or tries to)the combo box with:
>>>>thisform.combo1.rowsource="select names from table1 where names LIKE xVariable into cursor Z"
>>>>In other words, I want that if xVariable is "GA", the combo box is populated with all the names that start with GA.
>>>>I have tried several posibilities with no success. What am I missing?
>>>>
>>>>TIA
>>>how about:
>>>

>>>thisform.combo1.rowsource="select names from table1 where names LIKE " + xVariable + " into cursor Z"

>>>
>>>However this will not work unless xVariable is public. Better to make it a Form Property:
>>>
>>>

>>>thisform.combo1.rowsource="select names from table1 where names LIKE "+ ThisForm.xVariable + " into cursor Z"

>>
>>Umm. Hello? Does anyone worry about SQL Injection Attacks anymore?
>
>Hi Mike
>
>How would you get an sql injection attack into a form rowsource at run time ?
>
>I thought that sort of attack only could occur via the internet and browsers.

No. Any time you're concatenating strings together into a query sent to a backend or executed with EXECSCRIPT it can happen.

What I'm doing these days is parameterizing every value. I don't think I've ever used the rowsource for a combo like that anyways. I'd much prefer to execute the SQL command elsewhere and use the resulting cursor as an alias to the control.

By doing that I can...

lcValue = THISFORM.somecontrol.value
SELECT * FROM SOMETABLE where field = ?m.lcValue

That way there is ZERO possibility of SQL Injection. Never smoke at the gas station, better safe than sorry. Never inject a user entered value into a SQL command. Always parameterize. Better safe than sorry.