Pass Chinese Characters into Dynamic SQL Stored Procedure

Posted on 2008-06-17
Last Modified: 2008-06-18
I'm using dynamic sql to execute an update statement via a stored procedure.  I have my exec statement set to NVarChar(4000).  I have my input parameters for the fields that need to be foreign characters set to NVarChar().  I have my DB datatypes set to NVarChar for those columns.  Yet when i pass in chinese characters they end up as ????????? in my DB.

I DO NOT have the same issue with my Insert stored procedure which is not dynamic.  That inserts the foreign characters just fine.

I've attached my code.  I really really want to get this to work as dynamic sql.  
ALTER PROCEDURE [dbo].[UpdateMember] 


	--input parameters

	@MemberID int,

	@MemberNumber varchar(50),

    @Hotel varchar(50),

	@FirstName nvarchar(255),

	@LastName  nvarchar(255),

	@DateofBirth  DateTime,

	@Spouse  varchar(100),

	@NoOfChildren  char(2),

	@Address1  nvarchar(255),

	@Address2  nvarchar(255),

	@City  nvarchar(255),

	@State  nvarchar(255),

	@Country  nvarchar(255),

	@Zip  nvarchar(255),

	@HomePhone  varchar(12),

	@AlternatePhone  varchar(12),

	@Fax  char(10),

	@Email  varchar(50),

	@Pwd  varchar(50),

	@LanguageCode varchar(20) = 'EN',

	@MemberTypeCode varchar(50) = 'CL'





-- this has to be NVarChar to support foreign characters


Declare @SQL NVarChar(4000)

Set @SQL = '

	update	dbo.Members

	set		FirstName = upper( ''' + @FirstName + '''),

			MemberNumber = ''' + @MemberNumber + ''',

			hotel= ''' + @hotel + ''',

			LastName = upper( ''' + @LastName + '''),

			DateOfBirth = ''' + Convert(Varchar(100),@DateOfBirth) + ''',

			Spouse = upper(''' + @Spouse + '''),

			NoOfChildren = ''' + @NoOfChildren + ''',

			Address1 = upper(''' + @Address1 + '''),

			Address2 = upper(''' + @Address2 + '''),

			City = upper(''' + @City + '''),

			State = upper(''' + @State + '''),

			Country = upper(''' + @Country + '''),

			Zip = ''' + @Zip + ''',

			HomePhone = ''' + @HomePhone + ''',

			AlternatePhone = ''' + @AlternatePhone + ''',

			Fax = ''' + @Fax + ''',

			Email = ''' + @Email + ''',

			Pwd = ''' + @Pwd +''',

			LanguageTypeID = (Select LanguageTypeID from dbo.LanguageTypes where Code = ''' + @LanguageCode + '''),

			MemberTypeID = (Select MemberTypeID from dbo.MemberTypes where Code =''' + @MemberTypeCode + ''') '

	If @MemberID <> 0


		Set @SQL = @SQL + '	where MemberID = ' + Convert(varchar(100),@MemberID)




		Set @SQL = @SQL + '	where MemberNumber = ''' + @MemberNumber + ''' '



Open in new window

Question by:davidcahan
  • 3
LVL 14

Expert Comment

ID: 21809853
A Unicode string should be specified with N before the string, like this:

SET @SQL = N'This is Unicode'

SET @SQL = 'This is NOT Unicde'

Even though @SQL is declared as Unicode, it will be doing all the concatenation without Unicode, and then converting it at the end. Try putting N in front of all your strings (like in the above example) to see if that solves it.

LVL 14

Accepted Solution

rob_farley earned 500 total points
ID: 21809876
But... please don't use this method for dynamic SQL. If someone with an apostrophe in their name logs in, they could hurt your system badly.

Search online for SQL Injection and you'll see plenty of information. You could easily fix it just by using sp_executesql with parameters.


Author Comment

ID: 21810214
it worked absolutely PERFECTLY once i used sp_executesql.  even though the syntax is a bit more verbose, in many ways it's a bunch easier.  no more having ot remember to use two or three sets of single apostrophes.  

I'm wondering though: normally when i create dynamic sql, i ofthen use the print statement to debug the sql.  I will pass in all the values for the parameters but instead of execute i do print.  then i copy and paste that into a new query window and debug from there.  how would i accomplish that sort of debugging using sp_executesql?  
LVL 14

Expert Comment

ID: 21810442
Glad to help. Is this marked as answered now then?

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

by Mark Wills Attending one of Rob Farley's seminars the other day, I heard the phrase "The Accidental DBA" and fell in love with it. It got me thinking about the plight of the newcomer to SQL Server...  So if you are the accidental DBA, or, simp…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now