[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Pass Chinese Characters into Dynamic SQL Stored Procedure

Posted on 2008-06-17
4
Medium Priority
?
1,558 Views
Last Modified: 2008-06-18
I'm using dynamic sql to execute an update statement via a stored procedure.  I have my exec statement set to NVarChar(4000).  I have my input parameters for the fields that need to be foreign characters set to NVarChar().  I have my DB datatypes set to NVarChar for those columns.  Yet when i pass in chinese characters they end up as ????????? in my DB.

I DO NOT have the same issue with my Insert stored procedure which is not dynamic.  That inserts the foreign characters just fine.

I've attached my code.  I really really want to get this to work as dynamic sql.  
ALTER PROCEDURE [dbo].[UpdateMember] 
	(
	--input parameters
	@MemberID int,
	@MemberNumber varchar(50),
    @Hotel varchar(50),
	@FirstName nvarchar(255),
	@LastName  nvarchar(255),
	@DateofBirth  DateTime,
	@Spouse  varchar(100),
	@NoOfChildren  char(2),
	@Address1  nvarchar(255),
	@Address2  nvarchar(255),
	@City  nvarchar(255),
	@State  nvarchar(255),
	@Country  nvarchar(255),
	@Zip  nvarchar(255),
	@HomePhone  varchar(12),
	@AlternatePhone  varchar(12),
	@Fax  char(10),
	@Email  varchar(50),
	@Pwd  varchar(50),
	@LanguageCode varchar(20) = 'EN',
	@MemberTypeCode varchar(50) = 'CL'
	)
AS
 
 
 
 
	/* SET NOCOUNT ON */ 
 
-------------------------------------------------------------
-- this has to be NVarChar to support foreign characters
-------------------------------------------------------------
Declare @SQL NVarChar(4000)
Set @SQL = '
	update	dbo.Members
	set		FirstName = upper( ''' + @FirstName + '''),
			MemberNumber = ''' + @MemberNumber + ''',
			hotel= ''' + @hotel + ''',
			LastName = upper( ''' + @LastName + '''),
			DateOfBirth = ''' + Convert(Varchar(100),@DateOfBirth) + ''',
			Spouse = upper(''' + @Spouse + '''),
			NoOfChildren = ''' + @NoOfChildren + ''',
			Address1 = upper(''' + @Address1 + '''),
			Address2 = upper(''' + @Address2 + '''),
			City = upper(''' + @City + '''),
			State = upper(''' + @State + '''),
			Country = upper(''' + @Country + '''),
			Zip = ''' + @Zip + ''',
			HomePhone = ''' + @HomePhone + ''',
			AlternatePhone = ''' + @AlternatePhone + ''',
			Fax = ''' + @Fax + ''',
			Email = ''' + @Email + ''',
			Pwd = ''' + @Pwd +''',
			LanguageTypeID = (Select LanguageTypeID from dbo.LanguageTypes where Code = ''' + @LanguageCode + '''),
			MemberTypeID = (Select MemberTypeID from dbo.MemberTypes where Code =''' + @MemberTypeCode + ''') '
 
	If @MemberID <> 0
	Begin
		Set @SQL = @SQL + '	where MemberID = ' + Convert(varchar(100),@MemberID)
	End
	Else
	Begin
		Set @SQL = @SQL + '	where MemberNumber = ''' + @MemberNumber + ''' '
	End
 
EXEC (@SQL)

Open in new window

0
Comment
Question by:davidcahan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 15

Expert Comment

by:rob_farley
ID: 21809853
A Unicode string should be specified with N before the string, like this:

SET @SQL = N'This is Unicode'

SET @SQL = 'This is NOT Unicde'

Even though @SQL is declared as Unicode, it will be doing all the concatenation without Unicode, and then converting it at the end. Try putting N in front of all your strings (like in the above example) to see if that solves it.

Rob
0
 
LVL 15

Accepted Solution

by:
rob_farley earned 2000 total points
ID: 21809876
But... please don't use this method for dynamic SQL. If someone with an apostrophe in their name logs in, they could hurt your system badly.

Search online for SQL Injection and you'll see plenty of information. You could easily fix it just by using sp_executesql with parameters.

Rob
0
 

Author Comment

by:davidcahan
ID: 21810214
it worked absolutely PERFECTLY once i used sp_executesql.  even though the syntax is a bit more verbose, in many ways it's a bunch easier.  no more having ot remember to use two or three sets of single apostrophes.  

I'm wondering though: normally when i create dynamic sql, i ofthen use the print statement to debug the sql.  I will pass in all the values for the parameters but instead of execute i do print.  then i copy and paste that into a new query window and debug from there.  how would i accomplish that sort of debugging using sp_executesql?  
0
 
LVL 15

Expert Comment

by:rob_farley
ID: 21810442
Glad to help. Is this marked as answered now then?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question