Hello, Greg

>>Also you can't delete SQL Server anything if you use SQL Server authentication and never give users any NT authentications to the server. There is a huge difference here. I can specify in SQL Server what data access the user has without giving them any privliges to the NT system that would allow a user to destroy data through the Windows file system.

Yep, agreed. To match this with FP tables you'd need to use a middle tier of some sort- as you say, not common in accounting systems.

>>Now it's possible a user could hijack the ODBC connection outside of a VFP app which is why it's important to lock down user options in SQL Server and keep the password encrypted in the VFP EXE. Never do I put a password in a workstation ODBC and I always try to use DNSless connections to further conceal the server logons from the average hacker.

Agree 100%. Some would say it is even more secure to use SP; curiously I've seen SP set up to allow calls based on NT user privs, allowing an informed hacker to misuse the SP. Not possible using a SQL server user whose password is encrypted and never available to users.

>>VFP is a good database and I think many people under-estimate how valueable the VFP engine is in client/server apps. But when you start getting into heavy duty security it's hard to protect VFP if someone is determined to mess you up.

Agreed. However, at one of my clients the SA deleted the SQL server database accidentally. He was fired, but it hammered home that availability of sensible security/safety features does not guarantee they are used. When I practiced I regularly saw machinists who disabled or reached around safety shields and got hair, clothing or limbs pulled into machines. Humans are perverse!!

Regards

j.R