Of course if you had meant the string $to_replace is an actual regex to match against, you're better off using the qr operator:
I don't get this point. You started off that section with:
and doomed this catastrophically unsafe
, because $to_replace
may actually contain characters that have a special meaning.
But if $to_replace is actually a regexp, the premises is gone -- any special characters are intentional. In fact, it's quite fine in that case to use the above.