Checking Variables with Regular Expressions
Form variables returned by the browser should almost always be checked for validity. The only time they shouldn't be checked is when any possible input is acceptable, as in the case of the $user and $password variables. These variables can blank or contain any characters. No matter what controls are added to the HTML form itself, the HTTP response enables any data to be passed as form variables. Most of the time, it is enough to check that form variables are not empty or that they do not contain data that will crash the application after they are used.
In the case of a database browser, you should restrict the possible SQL queries to those that won't alter the content of the database. To do this, line 073 uses Perl's regular expression engine to check the $query form variable provided by the $p object. The simple regular expression /^select/ returns a true value only if the query starts with the keyword SELECT, and the i modifier relaxes the restriction to enable both uppercase and lowercase versions of the SELECT keyword.
Similar checking is performed on the data source itself in line 072 to gracefully catch obviously malformed data sources, which might result in an uglier error if passed to the database connect method. This type of error checking becomes more important if the page does not display correctlyor at alldue to a fatal error in the program.