Can't Echo check box

Hi,

What im doing wrong in this query?

	
			$UserAccess=mssql_fetch_array(mssql_query("Select * from tblUser where UserName='$_GET[UserName]'"));
			
			echo "<input type='checkbox' name='CreateTicket' if($UserAccess[CreateTicket])=='1'){echo 'checked';}/>Create Ticket<br>";

Please Help.

A lot…you have “$_GET[UserName]” in the query, you are the next Sony. Congratulations!

You have an if statement INSIDE your echo. IF is a php statement, when you open the quote on echo, it stops being PHP and starts being HTML.

Your use of double quotes also is making that WAY more complicated than need be. Again, WHAT is with the raging chodo for double quotes amongst PHP developers. Just TRYING to make things difficult?!?

Also, you fail to use quotes around your array index… this isn’t PHP 4 – and with later versions of PHP that’s going to stop working…

You also seem to be fetching an array of rows, but not PROCESSING them as an array of rows and instead acting like they ARE a row… so ‘createTicket’ shouldn’t even be a valid index of the _fetch_array result. Did you mean to do mssql_fetch_row because it should only return one?

Though as logic_earth mentioned, dumping $_GET direct into the query? OUCH.


function sanitize($str){
	if (get_magic_quotes_gpc()) $str=stripslashes($str);
	if (function_exists('mysql_real_escape_string')) {
		return mysql_real_escape_string($str);
	} else return addslashes($str);
}

$UserAccess=mssql_fetch_row(mssql_query("
	SELECT * FROM tblUser
	WHERE UserName='",sanitize($_GET['UserName']),"'
"));

echo '
	<input type="checkBox" name="createTicket" id="createTicket"',(
		$UserAccess('CreateTicket')==1 ? ' checked' : ''
	),'>
	<label for="createTicket">Create Ticket</label><br>';

Though if you’re going to code for mssql, I suggest switching to PDO ASAP… that way you have prepared queries which sanitize your values for you, and the ability to target MULTIPLE SQL engines.

Side note, deathshadow - your sanitize function will fail in this case - you can only real_escape_string if a mysql connection has been established - function_exists doesnt check for a connection, only that the function has been defined.

Very funny.
OP. Always check strings before putting them into a query. Make this an instinctive action. Even if this is a test some day you might copy the code.