>>>>>How do you change the following SQL Select into parameterized?
>>>>>
>>>>>
>>>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField = '" + cFldValue + "'", "c_cursor")
>>>>>
>>>>>
>>>>>TIA.
>>>>
>>>>private cFldValue
>>>>
>>>>cFldValue = 'Test'
>>>>
>>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField =?cFldValue, "c_cursor")
>>>
>>>Where do you put the closing close quotation mark (")? After ?cFldValue ? or after =? For example, is following correct syntax?:
>>>
>>>
>>>nResult = SQLEXEC(hCon, "SELECT * FROM MyTable WHERE MyField =?cFldValue", "c_cursor")
>>>
>>
>>Yes.
>
>Thank you.
FYI - You can do virtually the same in VFP and by doing so across the board, you'd never have created SQL Injection Attack prone code like your original.