>Hi Mark
>
>*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>mproperty01 = ntr_desc
>lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"
>
>Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.
If you concenate a SQL string you just construct a string.
SQL injection is when you manipulate a part of the string (in this: a parameter) so that it will run extra commands. You inject a command via abused parameter
But in general you are right, it's better to do it your way.
Words are given to man to enable him to conceal his true feelings.
Charles Maurice de Talleyrand-Périgord
Weeks of programming can save you hours of planning.
OffThere is no place like [::1]