I most certainly agree. I never program in such a way that I am passing in arbitrary table names though and so I've never needed to look up the method that would quote it for me. Thankyou for pointing out the correct method.
In all cases the name of the table could be validated before trying to use it in actual SQL - either by using "show tables" in MySQL or by "SELECT table_name FROM user_tables" in Oracle. Either way I would not be using the user supplied data in that portion of the SQL.
my @a=qw(random brilliant braindead); print $a[rand(@a)];