>I think everyone should get in the habit of parameterizing things that get sent to SQL Server.

I know, your pet theme, but...

>

>h=sqlstringconnect("your connect string here")
>LOCAL lcVar
>lcVar = "-- is this a proper comment?"
>?sqlexec(h, ?m.lcVar, "none")
>

>
>Works like a charm.

Yeah, but I'm not as charming as I may sound. I'm getting an error here.

I tried with

?sqlexec(h, "?m.lcVar", "none")

but that's not what I had in mind. It creates code where it declares @p1 as string, assigns it whatever value there was (the value of lcVar, in this case), and then replaces the all instance of ?lcVar with @p1 in the text - which now consists of just that variable, and I get

Connectivity error: [Microsoft][SQL Native Client][SQL Server]Incorrect syntax near '@P1'.

Now you tell me how does it turn a comment into a syntax error? What I had in mind (and in the case) was

*-- TEXT BLOCK BEGIN
TEXT TO lcVar NOSHOW TEXTMERGE
select * from table1

-- do we want a 2nd table here?

select * from table2
ENDTEXT
*-- TEXT BLOCK END
nRet=sqlexec(h, lcVar, "doh")

This is a perfectly legal SQL statement, which would pass muster in QA, but not in VFP, because the oddball question mark at the end of a line, not followed immediately by a variable name, confuses the parser.

So this had nothing to do with SQL injection.