You should also look into using the DBI module to communicate with the database, which would avoid having to do any shell escapes on your data at all. You'd still have to quote out database-special chars, but the DBI module provides a quote() method that handles it for you.