Show us code. I suspect that you're constucting an INSERT/UPDATE query by using string interpolation or simple concatenation (a bad idea), rather than using bind variables, which give you automagic, database-specific quoting.

Ponder the difference between

  my $name = $cgi->param('name');
  my $query = "INSERT ... VALUES($name)";
[download]

and

  my $name = $cgi->param('name');
  my $query = "INSERT ... VALUES("
              . dbi->quote($name)
              . ")";
[download]

and note that quote() gets invoked automagically when you execute() a query and provide values for placeholders in the query.