# allow alphanumerics, period, hyphen, ampersand
if ($data =~ /^([-\@\w.]+)$/) { # $data is tainted
    $data = $1;                 # $data now untainted
} else {
  die "Bad data in '$data'";    # log this somewhere
}