in reply to
Re: DBI and stored procedures
in thread DBI and stored procedures
But this is beside the point. It is reasonably straightforward to untaint data, prior to checking for SQL type compatibility.
my $inputstring =~ s/^(\w+)$//; my $username = $1;
Care must be taken though that all strings are received as UTF-8, otherwise \w matches only ASCII letters and not only Mr. 毛泽东 but also Assunção Verônica Álvares, Renée Bäcker and Krytůfek Březový would get thrown to the "Go away, 33vu1 haxx0r!" page if they used their proper names spelled properly :)