I think that you're taking the wrong approach here. I think that you should try to address this as your $values string is constructed, rather than trying to fix it right at the last minute.

Two approaches that I can think of:

• Use the quote method from DBI. This will make your code more portable as it will use whatever quote escaping method your current database uses - rather than hardcoding one method which won't be guaranteed to work if you ever use this code against a different database system.
• Instead of putting $values into your SQL string, instead the relevant number of placeholders (three in this example) and pass the required strings (in a list) to that execute call. That way, DBI and your DSD handle all the quoting and escaping for you - so you don't need to worry about it.