So I'm developing a PHP script that stores form data in an MSSQL DB. It seems the only way to be sure to avoid SQL injection is to use stored procedures, which one should anyway. All is good in English but in other character sets, in this case Thai, I get ?????
I'm sure I'm missing something obvious. Here's the SP:
ALTER PROCEDURE [dbo].[sp_insert_contactus]
-- Add the parameters for the stored procedure here
@firstName nchar(200) = '',
@lastName nchar(200) = ''
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
-- Insert statements for procedure here
INSERT INTO Contact_RL(FirstName, LastName) VALUES(@firstName, @lastName)
END
exec sp_insert_contactus 'test', 'ทดสอบ' and exec sp_insert_contactus 'test', N'ทดสอบ' both give the same result.
So what's the trick?