Running Perl with taint-checking enabled (-T) does wonders. The mechanism I gave in the earlier post should be quite sufficient, and should satisfy taint checks, because I'm pulling word characters and explicitely specifying a package name. The user is unable to specify any special characters or anything that would allow their variables to be interpolated as anything but variables.

Generally so long as you have taint checking enabled and those internal taint checks are satisfied with the way you're handling untrusted data ("Trust no one."), you will typically be OK. The only places you have to be careful is in untainting data, such as where I was using a regular expression to pull variable names out of the untrusted string. So long as you know what you're doing in cases like this and trust the mechanism enough to guarantee that the data you're pulling out is trustworthy (and untainted), you should be safe.