There's no injection problem here. This is just a small utility to convert an Excel spreadsheet into an SQL database. There is a hash to define the mapping, and another to apply any hacks needed to the data:

my %column_match = (
    'SP_CITYNAME'           => 'pod_city',
    'SP_STATE'              => 'pod_state',
    'SP_POSTALCODE'         => 'pod_zip',
    'SP_LANDMARKNAME'       => 'pod_short_name',
);
my %column_regex = (
    'SP_CITYNAME'       => 's/\s*$//g',
    'SP_LANDMARKNAME'   => 's/^Landmark - //',
);

Though I now realize this is hardly flexible enough. What if someone wanted to hack the data with "join(' ',map{ucfirst(lc($_))}split(/\s/,$_[0]));"?