You must have astoundingly high confidence that none of your users will ever - by intent, accident or ignorance - abuse this direct input. Shouting now: TAINT! UNTAINT!

perldoc -q taint
...that source refers the reader to
"Laundering and Detecting Tainted Data" in perlsec.

Among the questions that pop to (my) mind (even knowing and allowing -- or trying to do so -- for the fact you've given us a brief sample that likely bears no resemblance to your actual code):

• How are you going to untaint all the possible regexen?
• How is $string generated? Assuming a user actually inputs a (safe) regex, your code must have use psi enabled for the user to have any chance of matching anything.
• Why do you need to let users use regexen? Why wouldn't a decent search engine (Kino... etc) do the job more securely (and perhaps better)?
• What basis do you have for expecting your users to know how to write a proper regex (you clearly have an expectation that some won't have that knowledge)?
• And, repeated for emphasis, why a regex?