comment on

It seems you are using CGI but then parsing the params yourself. Why not just use module. Another thing you might want to do is use if/elsif/else construct that way you don't keep comparing once a match is found. As others have mentioned the main problem is the difference between '==' and 'eq' and what they compare (numerical vs. text values). Lastly, to have perl help you check that everything that needs to be untainted is in fact untainted add a -T after your she-bang line. Anyhow, here is another way to accomplish what your doing (using hashes vs. many if statements, plus the -T)

#!/usr/local/bin/perl -T
use strict;
use warnings;
use DBI;
use CGI;

my $cgi = new CGI;
my %states = (
 'AL' => 'Alabama', 'AK' => 'Alaska', 'AZ' => 'Arizona',
 'AR' => 'Arkansas', 'CA' => 'California', 'CO' => 'Colorado',
 'CT' => 'Connecticut', 'DE' => 'Delaware', 'FL' => 'Florida',
 'GA' => 'Georgia', 'HI' => 'Hawaii', 'ID' => 'Idaho',
 'IN' => 'Indiana', 'IL' => 'Illinois', 'IA' => 'Iowa',
 'KS' => 'Kansas', 'KY' => 'Kentucky', 'LA' => 'Louisiana',
 'ME' => 'Maine', 'MD' => 'Maryland', 'MA' => 'Massachusetts',
 'MI' => 'Michigan', 'MN' => 'Minnesota', 'MO' => 'Missouri',
 'MS' => 'Mississippi', 'MT' => 'Montana', 'NE' => 'Nebraska',
 'NV' => 'Nevada', 'NH' => 'New Hampshire', 'NJ' => 'New Jersey',
 'NM' => 'New Mexico', 'NY' => 'New York', 'NC' => 'North Carolina',
 'ND' => 'North Dakota', 'OH' => 'Ohio', 'OR' => 'Oregon',
 'OK' => 'Oklahoma', 'PA' => 'Pennsylvania', 'RI' => 'Rhode Island',
 'SC' => 'South Carolina', 'SD' => 'South Dakota', 
 'TN' => 'Tennessee', 'TX' => 'Texas', 'UT' => 'Utah', 
 'VT' => 'Vermont', 'VA' => 'Virginia',
 'WA' => 'Washington State', 'DC' => 'Washington DC',
 'WV' => 'West Virginia', 'WI' => 'Wisconsin', 'WY' => 'Wyoming',
 
  ## Canada##

 'AB' => 'Alberta', 'BC' => 'British Columbia', 'LB' => 'Labrador',
 'MB' => 'Manitoba', 'NB' => 'New Brunswick',
 'NL' => 'Newfoundland and Labrador', 'NS' => 'Nova Scotia',
 'NT' => 'Northwest Territories', 'NU' => 'Nunavut',
 'PE' => 'Prince Edward Island', 'ON' => 'Ontario',
 'QC' => 'Quebec', 'SA' => 'Saskatchewan',
 'YU' => 'Yukon Territory', 
);

my ($state) = $cgi->param('state') =~ /([A-Z]{2})/;
unless ( defined $state and exists $states{$state} ) {
  die "State not found";
}
my $state_name = $states{$state};

############ DB STUFF
$database = "database";
$db_server = "x";
$user = "x";
$passwd = "x";

##Connect to database, insert statement, & disconnect 
$dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $passwd);

$statement = "SELECT DISTINCT city FROM database WHERE state = ? ORDER
+ BY city";


$sth = $dbh->prepare($statement) 
    or die "Couldn't prepare the query: ".$sth->errstr;

$rv = $sth->execute 
    or die "Couldn't execute query: ".$dbh->errstr;


################################################
[download]

HTH

-enlil

In reply to Re: Untaint variables not working, IF statements. by Enlil
in thread Untaint variables not working, IF statements. by Anonymous Monk

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.