There are two main ways to deal with this using DBI. The first is their quote function:

# this works, but don't do it... The "correct" way is bind-vars
$value = $dbh->quote("sneaky text with posessives' in it");  $sql = "u
+pdate set column = $value";
[download]

The coolest most modern way to do it is bind vars:

# Do this every time:
my $sth = $dbh->prepare("update table set column=?") or die $dbh->errs
+tr;
   $sth->execute("sneaky text with posessives' in it") or die $dbh->er
+rstr;
[download]

If you use the bind-vars every single time, you'll very rarely have the kinds of horrible security problems that plague early php programs (sql injection).