As has already been mentioned, using eval at that point is not a good idea, and you should also make sure that only allowed methods can be called. Personally, when I used a similar setup, I simply used a name prefix for all "public" methods.

my $action = "do_" . $CGI->param('action');
my $to_do = new INVOICES;

$to_do->can($action) ?
    $to_do->$action() :
    defscreen();
[download]

Now all your action methods must be called do_foo (called by action=foo), do_bar etc, but this makes sure that someone can't call f.ex the method delete_file by putting action=delete_file in the URL. The other way would be to have a method, analogous to can, which checks if $action is an allowed method name, but I don't prefer that solution because it requires keeping several locations in the code synchronized.

(Btw, I see no mys in your code; you are of course using strict and warnings, I hope?)

Makeshifts last the longest.