in reply to Improving the security of SQL::Interp

Of your three, #2 looks best to me. It's a decent heuristic.

#3 is, I think, actually impossible in general. Consider:

my $v1 = 'field3'; my $v2 = 'value'; sql_interp('SELECT * FROM table WHERE field1 = ', $v1, ' AND field2 = +', $v2)

#3 would presumably make this be equivalent to field1 = 'field3' AND field2 = 'value', but the programmer might well have intended it to be field1 = field3 AND field2 = 'value', at which point the DWIMmery would merely have resulted in a perplexing bug. There's no way to determine which of the two was intended (let alone the other possible permutations), so it's better just to require the programmer to be explicit.