I gather that you are not using parameterized sql statements for doing the table updates, and you should be. You haven't provided enough code for anyone here to give a detailed reply about what needs to be done, but assuming that you are using the DBI module to perform the updates, then check out the part of the DBI man page that describes the functions "prepare", "bind_param" and "execute(@bind_values)".

In a nutshell, you start with an update statement like

my $sth = $dbh->prepare("update my_table set title=? where key=?");
[download]

and then execute the statement with a list of scalar values like this:

$sth->execute( $in{title}, $in{key} );
[download]

No quotation marks are needed around the string values being handed to the database, and there is no need to escape things within the scalar values that happen to be quote characters.