IMO, there's a huge difference between eval STR and eval BLOCK. You're using eval STR, and could run into problems with a poor regexp (and I'm not saying you have one). I suggest using eval BLOCK instead.

my $op = $query->param('option') || 'Login';

if ($op =~ /^(\w+)$/)
{
  # this is good for untainting.
  $op = $1;
}
else
{
  $op = 'NotAllowed';
}

# convert $op into a modulename.
(my $modname = $op) =~ s.::./.g; # since you don't allow :'s this isn'
+t needed, but it's useful in the general case.
$modname .= '.pm';
eval { require $modname };
die "Couldn't find class $op : $@\n" if $@;
$op->perform(...);
[download]

With your original eval STR code, a carefully crafted option parmaeter, with a broken regular expression (again, yours doesn't seem to be such a case), could insert extra perl commands to run. e.g., an option of "strict;system(qw{rm -rf /})" would be disasterous. You eliminated that with your regexp, but eval BLOCK also eliminates it. IMO, with something so dangerous, it doesn't hurt to double-protect oneself. Just in case you accidentally break your regexp later, for example.

(And, as an added bonus, eval BLOCK is faster.)