What Moritz says about using a placeholder is definitely the way to go vis. avoiding SQL injection.
If you want a simple way to make it HTML safe, you can do that before you put it in the DB or after, when you take it out and want to use it in a page (depending what else is done with the data). There are lots of modules, etc, for doing this but the major issue is the < and >, and ' if you use javascript:
$string =~ s/</</g;
$string =~ s/>/>/g;
$string =~ s/'/'/g;
Hopefully you recognize what that is for. There is a chart of all HTML "escape" codes at
http://www.lookuptables.com/