>>I think everyone should get in the habit of parameterizing things that get sent to SQL Server.
>
>I know, your pet theme, but...
>
>>

>>h=sqlstringconnect("your connect string here")
>>LOCAL lcVar
>>lcVar = "-- is this a proper comment?"
>>?sqlexec(h, ?m.lcVar, "none")
>>

>>
>>Works like a charm.
>
>Yeah, but I'm not as charming as I may sound. I'm getting an error here.
>
>I tried with
>

?sqlexec(h, "?m.lcVar", "none")

>
>but that's not what I had in mind. It creates code where it declares @p1 as string, assigns it whatever value there was (the value of lcVar, in this case), and then replaces the all instance of ?lcVar with @p1 in the text - which now consists of just that variable, and I get
>
>Connectivity error: [Microsoft][SQL Native Client][SQL Server]Incorrect syntax near '@P1'.
>
>Now you tell me how does it turn a comment into a syntax error? What I had in mind (and in the case) was
>
>

>*-- TEXT BLOCK BEGIN
>TEXT TO lcVar NOSHOW TEXTMERGE
>select * from table1
>
>-- do we want a 2nd table here?
>
>select * from table2
>ENDTEXT
>*-- TEXT BLOCK END
>nRet=sqlexec(h, lcVar, "doh")
>

>This is a perfectly legal SQL statement, which would pass muster in QA, but not in VFP, because the oddball question mark at the end of a line, not followed immediately by a variable name, confuses the parser.
>
>So this had nothing to do with SQL injection.

Yep. My mistake! Although I can't imagine why you are sending a command with comments in it. Isn't that like sending a * to execscript()? ;)