VARCHAR(100) ); DROP DATABASE mysql; --'

##</code><code>##

#! /usr/bin/perl -l

use strict ;
use warnings ;

# USER INPUT
my $SQL = 'VARCHAR(100) ); DROP DATABASE mysql; --';

validate_column_definition( $SQL ) ;

my $query = sprintf( 'CREATE TABLE test ( a %s, b INT )', $SQL ) ;
print $query ;

sub validate_column_definition {
        my $SQL = shift ;

        # remove all strings (DEFAULT 'str' OR COMMENT 'str')
        $SQL =~ s/(['][^']+['])//g ;   # remove quoted strings
        $SQL =~ s/(["][^"]+["])//g ; # remove quoted strings

        if ( $SQL =~ /#|--|\/\*|;|'|`|"/ ) {  # detect invalid characters
                print "SQL INJECTION: $SQL\n" ;
        }
}