Re: Untaint variables not working, IF statements.

It seems you are using CGI but then parsing the params yourself. Why not just use module. Another thing you might want to do is use if/elsif/else construct that way you don't keep comparing once a match is found. As others have mentioned the main problem is the difference between '==' and 'eq' and what they compare (numerical vs. text values). Lastly, to have perl help you check that everything that needs to be untainted is in fact untainted add a -T after your she-bang line. Anyhow, here is another way to accomplish what your doing (using hashes vs. many if statements, plus the -T)

#!/usr/local/bin/perl -T
use strict;
use warnings;
use DBI;
use CGI;

my $cgi = new CGI;
my %states = (
 'AL' => 'Alabama', 'AK' => 'Alaska', 'AZ' => 'Arizona',
 'AR' => 'Arkansas', 'CA' => 'California', 'CO' => 'Colorado',
 'CT' => 'Connecticut', 'DE' => 'Delaware', 'FL' => 'Florida',
 'GA' => 'Georgia', 'HI' => 'Hawaii', 'ID' => 'Idaho',
 'IN' => 'Indiana', 'IL' => 'Illinois', 'IA' => 'Iowa',
 'KS' => 'Kansas', 'KY' => 'Kentucky', 'LA' => 'Louisiana',
 'ME' => 'Maine', 'MD' => 'Maryland', 'MA' => 'Massachusetts',
 'MI' => 'Michigan', 'MN' => 'Minnesota', 'MO' => 'Missouri',
 'MS' => 'Mississippi', 'MT' => 'Montana', 'NE' => 'Nebraska',
 'NV' => 'Nevada', 'NH' => 'New Hampshire', 'NJ' => 'New Jersey',
 'NM' => 'New Mexico', 'NY' => 'New York', 'NC' => 'North Carolina',
 'ND' => 'North Dakota', 'OH' => 'Ohio', 'OR' => 'Oregon',
 'OK' => 'Oklahoma', 'PA' => 'Pennsylvania', 'RI' => 'Rhode Island',
 'SC' => 'South Carolina', 'SD' => 'South Dakota', 
 'TN' => 'Tennessee', 'TX' => 'Texas', 'UT' => 'Utah', 
 'VT' => 'Vermont', 'VA' => 'Virginia',
 'WA' => 'Washington State', 'DC' => 'Washington DC',
 'WV' => 'West Virginia', 'WI' => 'Wisconsin', 'WY' => 'Wyoming',
 
  ## Canada##

 'AB' => 'Alberta', 'BC' => 'British Columbia', 'LB' => 'Labrador',
 'MB' => 'Manitoba', 'NB' => 'New Brunswick',
 'NL' => 'Newfoundland and Labrador', 'NS' => 'Nova Scotia',
 'NT' => 'Northwest Territories', 'NU' => 'Nunavut',
 'PE' => 'Prince Edward Island', 'ON' => 'Ontario',
 'QC' => 'Quebec', 'SA' => 'Saskatchewan',
 'YU' => 'Yukon Territory', 
);

my ($state) = $cgi->param('state') =~ /([A-Z]{2})/;
unless ( defined $state and exists $states{$state} ) {
  die "State not found";
}
my $state_name = $states{$state};

############ DB STUFF
$database = "database";
$db_server = "x";
$user = "x";
$passwd = "x";

##Connect to database, insert statement, & disconnect 
$dbh = DBI->connect("DBI:mysql:$database:$db_server", $user, $passwd);

$statement = "SELECT DISTINCT city FROM database WHERE state = ? ORDER
+ BY city";


$sth = $dbh->prepare($statement) 
    or die "Couldn't prepare the query: ".$sth->errstr;

$rv = $sth->execute 
    or die "Couldn't execute query: ".$dbh->errstr;


################################################
[download]

HTH

-enlil

Comment on Re: Untaint variables not working, IF statements. Download Code

Replies are listed 'Best First'.
Re^2: Untaint variables not working, IF statements. by Anonymous Monk on Jun 29, 2004 at 15:18 UTC
Cool, thanks guys. This is my first program of any substance. You guys have been a big help. Thanks again, Adam	[reply]
Re^2: Untaint variables not working, IF statements. by Anonymous Monk on Jun 29, 2004 at 17:36 UTC
I don't understand what the '?' if for in the following statement: "SELECT DISTINCT city FROM database WHERE state = ? ORDER + BY city" Why wouldn't you just use '$state'? Thanks Adam	[reply]