use Interpolation "'" => 'sqlescape';

$sth = $dbh->prepare(
 "SELECT SUM(number) FROM $serverTable where name = $'{$surname}'");