DBI will do the quoting for you automatically if you use the bind params format. Something like

untested and no error checking

$sql = "select name from customer_table where customer_id = ?";
$sth = $dbh->prepare($sql);
$sth->execute($customer_id);
[download]

Execute takes an array of values and subs them in order for the ?'s in the sql statement. It will quote/not quote as nessecary. Should be sufficient to prevent sql injection issues.