>
>h=sqlstringconnect("your connect string here")
>?sqlexec(h, "-- is this a proper comment?", "none")
>
>
>You get a nice "SQL parameter is missing." error for this.
>
>Why? Because there's a question mark in the SQL command being sent, and VFP parses it, looking for parameters. Well, the parser isn't too smart - if it was, it would be writing SQL for us, right? - so it finds a question mark followed by nothing that would serve as a variable name, a-ha! Error.
>
>Just in case someone else bangs into this particular corner of the wall, may they escape without this ugly bump on the forehead.
I think everyone should get in the habit of parameterizing things that get sent to SQL Server.
h=sqlstringconnect("your connect string here")
LOCAL lcVar
lcVar = "-- is this a proper comment?"
?sqlexec(h, ?m.lcVar, "none")
Works like a charm. I just saw an article where a VFP guy made SQL Injection Attackable code. It wouldn't have happened directly from the UI. It would have happened after the user hit save.