First, the backslashes in front of the single quotes are not necessary.

Second, while it definitely IS better to use placeholders (especialy if you are gonna execute the same command with different "parameters" several times) here is another cute solution:

use Interpolation "'" => 'sqlescape';

$sth = $dbh->prepare(
 "SELECT SUM(number) FROM $serverTable where name = $'{$surname}'");
[download]

Jenda@Krynicky.cz