For the record, I have done bounds checking on everything. I was, however, a bit ambivalent about exactly where to put it. Data validation is primarily done at the untainting level, as much of the data is free-form. There are some specific instances where validation is a bit tighter ("does such and such a key actually exist", for instance, or "do we have a valid date"), but I opted to have that in the calling code rather than in the database API layer. I didn't want to duplicate validation in both the calling code and the API, but I still wound up with some extra validation in the API for really persnickety problems. I think I need to go back and do more reading on system design, though. I'm not quite happy with how everything got laid out.
Side note: as for perrin's node about exception handling, they're handled either in the calling code or in the database parent class (using CGI::Carp. Since this is the largest system that I have build to date, it's been quite a learning experience.
Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.