Sounds like you accept an SQL type from the user, so what you need to do is validate that you got a valid SQL type (or whatever subset you deem acceptable). Doing so doesn't involve removing characters.

$type =~ s/\s+/ /g;  # Liberal for inputs, strict for outputs.
$type =~ s/^\s//;
$type =~ s/\s\z//;
$type = uc($type);

$type =~ /
   ^
   (?: VARCHAR (?: \s* \( \s* [0-9]+ \s* \) )?
   |   CHAR    (?: \s* \( \s* [0-9]+ \s* \) )?
   |   ...
   )
   \z
/x
   or die;
[download]

You could also accept two fields, one of them a drop down. The user wouldn't have to know SQL.

if ($type eq 'VARCHAR') {
   if ($arg eq '')             { $sql = $type; }
   elsif ($arg =~ /^[0-9]+\z/) { $sql = "$type($arg)"; }
   else { die }
}
elsif ($type eq 'CHAR') {
   if ($arg eq '')             { $sql = $type; }
   elsif ($arg =~ /^[0-9]+\z/) { $sql = "$type($arg)"; }
   else { die }
}
...
else {
   die
}
[download]