>>>Hi Mark
>>>
>>>*This is not needed. mproperty01 = ALLTRIM(STRTRAN(NTR_desc,"'",""))
>>>mproperty01 = ntr_desc
>>>lcInsert = "insert into nominaltransaction(nominalbatchnum) values ( ?m.mProperty01 )"
>>>
>>>Anything where you concatenate the data into the sql command is called SQL INJECTION. That practice leaves you open to SQL Injection Attacks. Besides, doing what I show above means you need not do any strtrans to sanitize the input.
>>
>>If you concenate a SQL string you just construct a string.
>>SQL injection is when you manipulate a part of the string (in this: a parameter) so that it will run extra commands. You inject a command via abused parameter
>>
>>But in general you are right, it's better to do it your way.
>
>This may be simply a matter of semantics, but if you're using parameters, it cannot be abused. In my interpretation, the programmer is injecting a value into a string during concatenation. It is this injection that is abused during a sql injection attack. :)

This is the problem with recckless named things. Like Greeks in Trojan Horses -> Trojans :)