If you're not 100% sure that your string to eval is safe, just use a Safe partition.

  require Safe;
  my $string = Safe->new->reval("'$literal'");
[download]

Safe disables many of the potentially dangerous Perl op codes, so that even if someone manages to sneak a curiously-formatted piece of code past your parser/escaper, it's unable to do anything particularly malicious. (For example, it might be able to suck up an inordinate amount of CPU time, but it won't be able to reformat your hard drive.)

This is a very powerful capability, and I don't know why Perl developers don't take advantage of it more often...