because I'll be passing it to a sql statement as part of an "IN" clause

My first suggestion is to not re-invent the wheel, have a look at SQL::Abstract (example).

DBI provides quote* and quote_identifier, this is the very least you should do - don't go and try to quote the strings yourself.

Also, as an aside, you should always use placeholders wherever possible - see Bobby Tables.

* Update:

use warnings;
use strict;
use DBI;

# just using an SQLite in-memory DB as an example here
my $dbh = DBI->connect("dbi:SQLite:dbname=:memory:", '', '',
    { RaiseError=>1, AutoCommit=>0 } );

my @values = qw/ CAT DOG BIRD COW bl'ah /;
my $str = join ',', map { $dbh->quote($_,'VARCHAR') } @values;
print $str, "\n";

__END__

'CAT','DOG','BIRD','COW','bl''ah'
[download]