>
>I use ODBC, not ADO. And I don't use - in this particular case - the parameterized SQL Select. The entire SQL Select expression is passed to a function and the variables are not in scope. And in this case I am not concerned about Injection since user can only select/specify the date. All other parts of the expression are in the VFP code (hard-coded).

Then there is some ODBC driver that you use and supports VFP? Nice. Then:

IF m.plSqlServer
	cLifeExpFilter = " AND (PURCHASED IS NOT NULL AND LIFE_EXP IS NOT NULL AND LIFE_EXP > 0 AND ( " +;
                                " ?m.dPassDate >= DATEADD( year, LIFE_EXP, PURCHASED)) ) "
ELSE
        *-- VFP DB
      cLifeExpFilter = " AND (!EMPTY(PURCHASED) AND LIFE_EXP > 0 AND ?m.dPassDate  >= GOMONTH(PURCHASED,LIFE_EXP*12))"
ENDIF 

* this needs to be in scope where SQLExec is executed only.
* until that SQL is simply a string
dPassDate = date()  && but could be a different date since user can change it from the current date to a future date
SQLExec(m.handle, ...)

"And in this case I am not concerned about Injection since user can only select/specify the date."

Unfortunately many programmers think parameters are only for 'SQL injection Attack'. They are not. They are also to pass the values correctly for the backend (driver knows how to pass a date value for example).