When I see code that passes externally supplied strings through eval, it fills me with trepidation.

When it comes to 'safe' strings, a lot depends on how much you can trust the source of the strings. If your code is only ever being used inside a corporate development environment, you probably don't need to worry.

The extreme case is if you are receiving strings for eval as parameters in a CGI script, and some cracker gets in there and trashes your system. (For example 'system("rm -rf /");' This is what taint mode was invented for.

I thoroughly recommend Ovid's CGI course, which contains a full discussion of the security aspects involved in validating external strings.