http://www.perlmonks.org?node_id=11137296


in reply to Re: Is it safe to use external strings for regexes?
in thread Is it safe to use external strings for regexes?

In the latter case, there are three issues I'm aware of
  1. code injection by string interpolation, like /@{ do_evil() }/
  2. code injection by regex, like /(?{ do_evil() })/
  3. exponential time regexes with excessive backtracking, something like /((x*)*)*/ IIRC </ol?
String interpolation of variables only happens for literal regexes in the source code. So if the pattern is read from a file or database this isn't an issue.

Embedded code within a pattern is only allowed within the scope of use re 'eval'; otherwise trying to compile such a regex from a string will die at run time.

The third one is a genuine issue, in terms of both CPU and memory usage.

Dave.