Instead of checking for bad tokens you should just use bound parameters whenever possible, and DBI's quote method when it isn't possible. You'll save yourself a lot of pain that way.

Perfect paranoia is perfect awareness when it comes to preventing SQL injection attacks. Make sure you are binding or quoting everything that will touch the database. It's a semi common mistake to include $ENV{HTTP_REFERER} or $ENV{HTTP_USER_AGENT} in the sql unquoted.