A better way


Instead of 'sanitizing' user input, you can gather the input in a better fashion.

Example using DBI's positional parameters

  my $col1=param('col1');  
  my $col2=param('col2');
  my $col3=param('col3');

  my $sql = "select ?,?,? from sometable";
  $sth->exectue( $col1, $col2, $col3 );

Since the user input is sent as parameters, rather than in the string, no chance for SQL trickery.