>>Hi Mark
>>
>>*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>>mproperty01 = ntr_desc
>>lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"
>>
>>Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.
>
>If you concenate a SQL string you just construct a string.
>SQL injection is when you manipulate a part of the string (in this: a parameter) so that it will run extra commands. You inject a command via abused parameter
>
>But in general you are right, it's better to do it your way.

This may be simply a matter of semantics, but if you're using parameters, it cannot be abused. In my interpretation, the programmer is injecting a value into a string during concatenation. It is this injection that is abused during a sql injection attack. :)