Win,

SQL Injection can definately be a thorn in your side. However, most of these problems are eliminated when you use DBI's bind method.

#assuming you're connected, with a $dbh
#my $sql = "select ? from ?"; #incorrect, thanks wfsp
my $sql = "select ? from myTable";
my $sth=$dbh->prepare( $sql ) ;
$sth->bind_param(1, $col_to_select );
#$sth->bind_param(2, $table ) ; #also incorrect
$sth->execute ;
[download]

DBI does a good job of escaping and db-quoting the things you bind this way. Then you can relax. If you use andye's method for filtering the input and paring away only things you -do- want via your favorite untaint method, you can relax even harder.

Peace, monks.

Update: wfsp has pointed out that table names shouldn't be bound with bind_params. Turns out he's absolutely correct. It's all documented in perldoc DBI. I've also fixed the code and commented out the garbage. Thanks wfsp.