that's a bad way of untainting...the better/safer way is to only let through the allowed character class instead, e.g. "a-zA-Z0-9 ,()+"
you could even later use a SQL tokenizer to validate the SQL before execution. i believe there's also a DBI function to send the SQL as passthru...so it would have no chance of causing side effects in the perl (and DBI module). but you couldn't use placeholders in that.