Definitely dispatch .. avoids the Bobby Tables Problem, which has many manifestations.   You should also preface this with an explicit test to verify that a key does exist in the dispatch table, e.g.:

die "No key for '$foo!'" unless exists($dispatch->{$foo});

... making sure, of course, that this message (specifically, $foo), in un-sanitized form cannot by any means make its way into any user-delivered output, where it could conceivably be a vector for script-injection.   The message should appear only in unpublished log-files (STDERR).

As just one of its many advantages, this technique avoids the overhead of “compiling at runtime,” and it expressly indicates the full extent of what you, the designer, intended for the software to do in every case, “and here are all the cases.”   With a mere glance at the source code, anyone can plainly see what the software is to do given any possible input, malicious or otherwise, and can be certain that this is what will occur.