my problem is that it gives me a runtime error when ever my address record contains an apostrophe character (').
You're on the right track in thinking that you need to escape the single quote, but on the wrong track in thinking that you need to do this in the database.
It suffices to "escape" the single quotes right before you emit the Javascript. Try something like the following (untested, but I've done something like this before a few years back):
# after you've fetched the row
my $escapedCustno = jsescape($custno);
...
print <<EndHTML;
<script language="javascript">
fillCustomer('$escapedCustno', ...
sub jsescape {
my $str = shift;
$str =~ s/("')/\\$1/g;
$str;
}