>>
>>*-- TEXT BLOCK BEGIN
>>TEXT TO lcVar NOSHOW TEXTMERGE
>>select * from table1
>>
>>-- do we want a 2nd table here?
>>
>>select * from table2
>>ENDTEXT
>>*-- TEXT BLOCK END
>>nRet=sqlexec(h, lcVar, "doh")
>>
>>This is a perfectly legal SQL statement, which would pass muster in QA, but not in VFP, because the oddball question mark at the end of a line, not followed immediately by a variable name, confuses the parser.
>>
>>So this had nothing to do with SQL injection.
>
>Yep. My mistake! Although I can't imagine why you are sending a command with comments in it. Isn't that like sending a * to execscript()? ;)
It's because the comments don't hurt (unless they contain question, Marx, and maybe other dangerous punctuation), and because I have to create a temp table, retrieve about 20 cursors joined on it, and in the end kill the temp table, so there's a few pages between Text and EndText - and I strongly believe that code should be commented. Even if it's TSQL code. So there are comments in it.