in reply to Re^7: Removing malicious HTML entities (now with more questions!)
in thread Removing malicious HTML entities (now with more questions!)

Ugh I had to write so much of code that resembles what you have there - that at the end I wrote my own little DB "abstraction" (more like SQL generator and executer) to re-factor all that. It generates SQL by using placeholder for everything (values) and based on fields available in data/form and table. So I ended up with something like:

$DB->insert_record(
   table => 'mytable',
   data  => $form,
);

# But if you want timestamp => NOW() it should not be used as 
# placeholder so I added another parameter marking which fields 
# should be included as they are ... Of course this particular 
# example would better been done by setting default value of 
# timestamp field to NOW() and sending nothing here....

$form->{timestamp} ||= 'NOW()';

$DB->insert_record(
   table => 'mytable',
   data  => $form,
   as_is_fields => $form->{timestamp} eq 'NOW()' ? [qw/timestamp/] : [
+],
);
[download]

Now days I just pass around hashrefs from CGI to my DB-thing (through HTML::Entity and Data::FormValidator first), and from DB-thing to TemplateToolkit on output. And just take care to use same field names in all of those - so that DB-thing could do it's magic.