You should just use placeholders and avoid escaping of the values totally:

my $sth = $dbh->prepare('SELECT Name, 
                       UserID, 
                       Passwd, 
                       Class
                FROM Users 
                WHERE UserID=?');
$sth->execute($User);
[download]

The database substitutes the question mark with the value from $User without interpreting it as SQL, so you're as safe as you can get that way.

When you print out the user name again someday, you have to HTML-Escape it. Good template systems like HTML::Template::Compiled can do that by default with the default_escape => 'HTML' option.