One other thing: it may be possible for users inadvertently or deliberately to pass statements other than SQL select to this variable. The & prefix will execute ANY commands, however drastic.

Remember to check that the sqlTxt string is actually an SQL select statement. I use the following. (It also temporarily enables the ESC key while SQL commands are running). (It's written for VFP26, but also works under VFP6)

if upper(substr(alltrim(msql),1,6)) != "SELECT" or "FROM" $ UPPER(msql)=.F.
wait window "Nothing like an SQL command! Try again..." timeout 1
else
clear read
deactivate window isqlwin
wait window "Press to interrupt the search" timeout 1.0
set escape on
on escape do stopsearch
&msql
endif

procedure stopsearch
wait window "Search cancelled" timeout 0.5
on escape
set escape off
return

Cheers

John

Dr. JW Faithfull
Curator in Geology
Hunterian Museum
University of Glasgow
Glasgow G12 8QQ
Scotland