(But as always with string eval, be careful what you interpolate when the data doesn't come from trusted sources...)

If you whitelist allowed operators via hash, and don't interpolate $a and $b, you should be fine:

if (exists $perlop{$op}) {
    my $r = eval "\$a $perlop{$op} \$b";
} else {
    die "OH NOEZ!";
}
[download]

That way the string passed to eval contains the variable names, and obtains their value from the outer scope.