>>>and in addition to this... if you're especially paranoid, you may want to make a function to replace any embedded quotes with quote images (e.g. replace "'" with "''") and call it in the statement where you construct the SQL statement -- just in case (to avoid SQL injection problems).
>>>
>>>THISFORM.combo2.ROWSOURCE=[select nombres from alumnos where nombres LIKE "] + STRTRAN(Nom,"'","''") + [" into cursor listnom]
>>
>>>Of course this might depend on if the query is interpreted by VFP directly or if it simply gets passed to the SQL backend. If it gets passed to the SQL backend, you could get a nasty suprise. Consider the possiblity of what would happen if:
>>>
>>>Nom = "'; drop table alumnos;"
>>
>>Two famous quotes from Henry Kissinger:
>>
>>"I may be paranoid, but they're still out to get me"
>>
>>"It's not whether I'm paranoid or not, it's whether I'm paranoid enough"
>>
>>I think we can neglect the danger of SQL injection when we have thisform.someCtl.value. And even if it's something we know the source of, we could pass it to the backend as a parameter, or do some .SanitizeString() procedure on it. There are techniques, of course.
>
>
>No need to sanitize anything if you parameterized.

Well, I said "or" :).