>On Sat, Feb 11, 2012 at 8:55 PM, Ken Dibble <[email protected]> wrote: > > > Thus a cite from authority that there is nothing wrong with creating > > queries by string concatenation as long as you validate the input first. > >Well, I suspect this "authority" hasn't worked in languages that have >as elegant a support for placeholder substitutions as FoxPro.
Not so easy to use if the location where the SQL is executed (or passed via SPT) is not in the same scope as the location where the values to be concatenated are populated--this is a point everybody misses. I don't bind controls or properties to data, and I don't execute the SQL queries/expressions in the same object where those values get populated. Sorry for bringing up this religious war again. (Well, not really. *L*) But there is no "one-size-fits-all" prescription for this issue. Ken Dibble www.stic-cil.org _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
