469,903 Members | 1,958 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,903 developers. It's quick & easy.

Searching foreign characters - Classic ASP & SQL 2005

I originally posted this in microsoft.public.sqlserver.server, and it
was suggested that I post here.

I'm having problems with searches via a classic ASP front-end of terms
including foreign characters. For example, Profiler indicates that a
search for: ,

is actually executed as:
SELECT top 1 '1' from dbo.mytable where contains(myfield,
'"все ок, юзай
на
здоровье"')

How do I prevent the foreign characters (in this case Cyrillic) from
being converted to HTML ASCII?

Thanks!
Oct 29 '08 #1
5 2553
Matt wrote:
I originally posted this in microsoft.public.sqlserver.server, and it
was suggested that I post here.

I'm having problems with searches via a classic ASP front-end of terms
including foreign characters. For example, Profiler indicates that a
search for: ,

is actually executed as:
SELECT top 1 '1' from dbo.mytable where contains(myfield,
'"все ок, юзай
на
здоровье"')

How do I prevent the foreign characters (in this case Cyrillic) from
being converted to HTML ASCII?
How are you passing the data? Oh wait ... "contains" ... this is a
full-text search. I've no experience with those, but I guess I am
wondering if parameters can be used.

Anyways, we need to see the code that receives the strings and
builds/passes them to the sql statement.

--
HTH,
Bob Barrows
Oct 29 '08 #2
hi
how you are making the query?
"Matt" <mj*****@gmail.comescribi en el mensaje
news:d3**********************************@l62g2000 hse.googlegroups.com...
I originally posted this in microsoft.public.sqlserver.server, and it
was suggested that I post here.

I'm having problems with searches via a classic ASP front-end of terms
including foreign characters. For example, Profiler indicates that a
search for: ,

is actually executed as:
SELECT top 1 '1' from dbo.mytable where contains(myfield,
'"все ок, юзай
на
здоровье"')

How do I prevent the foreign characters (in this case Cyrillic) from
being converted to HTML ASCII?

Thanks!
---
avast! Antivirus: Inbound message clean.
Virus Database (VPS): 081029-0, 29/10/2008
Tested on: 30/10/2008 11:04:12 a.m.
avast! - copyright (c) 1988-2008 ALWIL Software.
http://www.avast.com

---
avast! Antivirus: Outbound message clean.
Virus Database (VPS): 081029-0, 29/10/2008
Tested on: 30/10/2008 11:06:08 a.m.
avast! - copyright (c) 1988-2008 ALWIL Software.
http://www.avast.com

Oct 30 '08 #3
On Oct 29, 10:29*am, "Bob Barrows" <reb01...@NOyahoo.SPAMcomwrote:
Matt wrote:
I originally posted this in microsoft.public.sqlserver.server, and it
was suggested that I post here.
I'm having problems with searches via a classic ASP front-end of terms
including foreign characters. *For example, Profiler indicates that a
search for: ,
is actually executed as:
SELECT top 1 '1' from dbo.mytable where contains(myfield,
'"все ок, юзай
на
здоровье"')
How do I prevent the foreign characters (in this case Cyrillic) from
being converted to HTML ASCII?

How are you passing the data? Oh wait ... "contains" ... this is a
full-text search. I've no experience with those, but I guess I am
wondering if parameters can be used.

Anyways, we need to see the code that receives the strings and
builds/passes them to the sql statement.

--
HTH,
Bob Barrows
Thanks to you both for replying!

Here's the code that accepts user input:
<tr>
<td><b>My Search</b></td>
<td><input type="text" name="strMySearch" size="40"></td>
</tr>

And here's the code that receives the string and creates the sql
statement (on a separate page from code above):
strMySearch = Trim(Request("strMySearch"))

strSQL = "SELECT top 1 '1' " & _
"FROM mydb.dbo.mytable "
'use full-text indexing
strSQL = strSQL & "WHERE contains(myfield, '" & chr(34) &
strMySearch & chr(34) & "') " & _
"OR (myfield2 = '" & strMySearch & "' OR myfield3= '" &
strMySearch & "') "

set objRS = objConn.execute(strSQL)
if not objRS.EOF then
strExists = true
end if

FWIW, I'm also encountering this problem when not using full-text
indexes - here's an example:

<tr>
<td><b>My Search</b></td>
<td><input type="text" name="strMySearch" size="50"></td>
</tr>

strMySearch = Trim(Request("strMySearch"))

strSQL = "SELECT distinct myfield " & _
"FROM mydb.dbo.mytable " & _
"WHERE 1=1 "
If Len(strMySearch) 0 Then
strSQL = strSQL & "AND myfield like '%" & UCASE(strMySearch) & "%'
"
End If

set objRS = objConn.execute(strSQL)
if not objRS.EOF then
arrMySearch = objRS.GetRows()
strUbound = UBound(arrMySearch,2)
end if
Nov 3 '08 #4
"Matt" <mj*****@gmail.comwrote in message
news:13**********************************@z6g2000p re.googlegroups.com...
On Oct 29, 10:29 am, "Bob Barrows" <reb01...@NOyahoo.SPAMcomwrote:
Matt wrote:
I originally posted this in microsoft.public.sqlserver.server, and it
was suggested that I post here.
I'm having problems with searches via a classic ASP front-end of terms
including foreign characters. For example, Profiler indicates that a
search for: ,
is actually executed as:
SELECT top 1 '1' from dbo.mytable where contains(myfield,
'"все ок, юзай
на
здоровье"')
How do I prevent the foreign characters (in this case Cyrillic) from
being converted to HTML ASCII?

How are you passing the data? Oh wait ... "contains" ... this is a
full-text search. I've no experience with those, but I guess I am
wondering if parameters can be used.

Anyways, we need to see the code that receives the strings and
builds/passes them to the sql statement.

--
HTH,
Bob Barrows
>>>>>>>>>>>>>>>>>>>
Thanks to you both for replying!

Here's the code that accepts user input:
<tr>
<td><b>My Search</b></td>
<td><input type="text" name="strMySearch" size="40"></td>
</tr>

And here's the code that receives the string and creates the sql
statement (on a separate page from code above):
strMySearch = Trim(Request("strMySearch"))

strSQL = "SELECT top 1 '1' " & _
"FROM mydb.dbo.mytable "
'use full-text indexing
strSQL = strSQL & "WHERE contains(myfield, '" & chr(34) &
strMySearch & chr(34) & "') " & _
"OR (myfield2 = '" & strMySearch & "' OR myfield3= '" &
strMySearch & "') "

set objRS = objConn.execute(strSQL)
if not objRS.EOF then
strExists = true
end if

FWIW, I'm also encountering this problem when not using full-text
indexes - here's an example:

<tr>
<td><b>My Search</b></td>
<td><input type="text" name="strMySearch" size="50"></td>
</tr>

strMySearch = Trim(Request("strMySearch"))

strSQL = "SELECT distinct myfield " & _
"FROM mydb.dbo.mytable " & _
"WHERE 1=1 "
If Len(strMySearch) 0 Then
strSQL = strSQL & "AND myfield like '%" & UCASE(strMySearch) & "%'
"
End If

set objRS = objConn.execute(strSQL)
if not objRS.EOF then
arrMySearch = objRS.GetRows()
strUbound = UBound(arrMySearch,2)
end if
>>>>>>>>>>>>>>>>>>>>

I'm not convinced this is a SQL issue at all, not to say there isn't one, we
first need to discover how we are seeing &#xxxx; entities, this is
definitely not being done by SQL.

How are you acquiring the text of the SQL executed, (please be a specific as
possible describing your process of discovering the text, in these cases the
devil is in the detail)?

Is this a METHOD="POST or a METHOD="GET" form?
Is the form action URL the same page that holds for form or different one?
Are you intiailising the value of the input when generating the HTML form?
What codepage is set for the form page and the receiving page?
What charset is specified on the response for the form page?

BTW, You should google up SQL Injection Attack, the technique of
concatenating into SQL code value posted from a client leaves your site
vunerable.

--
Anthony Jones - MVP ASP/ASP.NET

Nov 4 '08 #5
On Nov 4, 4:20*am, "Anthony Jones" <AnthonyWJo...@yadayadayada.com>
wrote:
"Matt" <mjhs...@gmail.comwrote in message

news:13**********************************@z6g2000p re.googlegroups.com...
On Oct 29, 10:29 am, "Bob Barrows" <reb01...@NOyahoo.SPAMcomwrote:
Matt wrote:
I originally posted this in microsoft.public.sqlserver.server, and it
was suggested that I post here.
I'm having problems with searches via a classic ASP front-end of terms
including foreign characters. For example, Profiler indicates that a
search for: ,
is actually executed as:
SELECT top 1 '1' from dbo.mytable where contains(myfield,
'"все ок, юзай
на
здоровье"')
How do I prevent the foreign characters (in this case Cyrillic) from
being converted to HTML ASCII?
How are you passing the data? Oh wait ... "contains" ... this is a
full-text search. I've no experience with those, but I guess I am
wondering if parameters can be used.
Anyways, we need to see the code that receives the strings and
builds/passes them to the sql statement.
--
HTH,
Bob Barrows

Thanks to you both for replying!

Here's the code that accepts user input:
<tr>
<td><b>My Search</b></td>
<td><input type="text" name="strMySearch" size="40"></td>
</tr>

And here's the code that receives the string and creates the sql
statement (on a separate page from code above):
strMySearch = Trim(Request("strMySearch"))

strSQL = "SELECT top 1 '1' " & _
"FROM mydb.dbo.mytable "
'use full-text indexing
strSQL = strSQL & "WHERE contains(myfield, '" & chr(34) &
strMySearch & chr(34) & "') " & _
* *"OR (myfield2 = '" & strMySearch & "' OR myfield3= '" &
strMySearch & "') "

set objRS = objConn.execute(strSQL)
if not objRS.EOF then
strExists = true
end if

FWIW, I'm also encountering this problem when not using full-text
indexes - here's an example:

<tr>
<td><b>My Search</b></td>
<td><input type="text" name="strMySearch" size="50"></td>
</tr>

strMySearch = Trim(Request("strMySearch"))

strSQL = "SELECT distinct myfield " & _
"FROM mydb.dbo.mytable " & _
"WHERE 1=1 "
If Len(strMySearch) 0 Then
strSQL = strSQL & "AND myfield like '%" & UCASE(strMySearch) & "%'
"
End If

set objRS = objConn.execute(strSQL)
if not objRS.EOF then
arrMySearch = objRS.GetRows()
strUbound = UBound(arrMySearch,2)
end if

I'm not convinced this is a SQL issue at all, not to say there isn't one,we
first need to discover how we are seeing &#xxxx; entities, this is
definitely not being done by SQL.

How are you acquiring the text of the SQL executed, (please be a specificas
possible describing your process of discovering the text, in these cases the
devil is in the detail)?

Is this a METHOD="POST or a METHOD="GET" form?
Is the form action URL the same page that holds for form or different one?
Are you intiailising the value of the input when generating the HTML form?
What codepage is set for the form page and the receiving page?
What charset is specified on the response for the form page?

BTW, You should google up SQL Injection Attack, the technique of
concatenating into SQL code value posted from a client leaves your site
vunerable.

--
Anthony Jones - MVP ASP/ASP.NET
Thanks for the response, Anthony. You pointed me in the right
direction and I was able to solve the problem by setting the codepage
on both the input and output forms to 65001 and the character set to
utf-8. Also, thanks for the warning about SQL injection. While this
is an internal site with trusted users, I would agree we should fix
this vulnerability ASAP.

Thanks again!
Nov 13 '08 #6

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Tetsuo | last post: by
8 posts views Thread by Mike | last post: by
1 post views Thread by Ole | last post: by
reply views Thread by tatemononai | last post: by
2 posts views Thread by tatemononai | last post: by
3 posts views Thread by =?Utf-8?B?R2VyaGFyZA==?= | last post: by
1 post views Thread by Waqarahmed | last post: by
reply views Thread by Salome Sato | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.