>>>
>>>*-- TEXT BLOCK BEGIN
>>>TEXT TO lcVar NOSHOW TEXTMERGE
>>>select * from table1
>>>
>>>-- do we want a 2nd table here?
>>>
>>>select * from table2
>>>ENDTEXT
>>>*-- TEXT BLOCK END
>>>nRet=sqlexec(h, lcVar, "doh")
>>>
>>>This is a perfectly legal SQL statement, which would pass muster in QA, but not in VFP, because the oddball question mark at the end of a line, not followed immediately by a variable name, confuses the parser.
>>>
>>>So this had nothing to do with SQL injection.
>>
>>Yep. My mistake! Although I can't imagine why you are sending a command with comments in it. Isn't that like sending a * to execscript()? ;)
>
>It's because the comments don't hurt (unless they contain question, Marx, and maybe other dangerous punctuation), and because I have to create a temp table, retrieve about 20 cursors joined on it, and in the end kill the temp table, so there's a few pages between Text and EndText - and I strongly believe that code should be commented. Even if it's TSQL code. So there are comments in it.
What I mean is the comments are not normally dealt with by the compiler/interpreter/computer. By including them in the text...endtext, you are shipping them over the wire. Comment your code for your reading, but don't comment the code the computer is reading.