I'm coding a website right now. I store the users accounts inside a MySQL table. I use PDO to access them as it's a lot safer and takes care of any attacks. I store usernames as a VARCHAR(24).
But here is my question: does PDO take care of overflows? For example if the user would try to set his username to a length of 25?
Not sure whether you did the obvious thing and just tried yourself but... No, PDO is not a complex ORM. It won't waste resources parsing SQL queries to determine what tables and columns are to be written and fetching table definitions from server to validate input data.
Depending on your MySQL configuration, your query will fail with an error or it'll proceed happily and you'll get data loss as a feature. But it'll all happen at MySQL server:
mysql> CREATE TABLE user (
-> user_id INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
-> username VARCHAR(24) NOT NULL,
-> PRIMARY KEY (user_id)
-> );
Query OK, 0 rows affected (0.00 sec)
mysql> SET @@SESSION.sql_mode='';
Query OK, 0 rows affected (0.00 sec)
mysql> INSERT INTO user (username) VALUES ('this.is.a.very.long.username');
Query OK, 1 row affected, 1 warning (0.00 sec)
mysql> SHOW WARNINGS;
+---------+------+-----------------------------------------------+
| Level | Code | Message |
+---------+------+-----------------------------------------------+
| Warning | 1265 | Data truncated for column 'username' at row 1 |
+---------+------+-----------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT * FROM user;
+---------+--------------------------+
| user_id | username |
+---------+--------------------------+
| 1 | this.is.a.very.long.user |
+---------+--------------------------+
1 row in set (0.00 sec)
mysql> SET @@SESSION.sql_mode='TRADITIONAL';
Query OK, 0 rows affected (0.00 sec)
mysql> INSERT INTO user (username) VALUES ('this.is.also.a.very.long.username');
ERROR 1406 (22001): Data too long for column 'username' at row 1
I you are talking about what the term buffer overflow commonly refers to, both PHP and great parts of MySQL Server are written in C, which is a rather low level language that's certainly vulnerable to it. But of course both developer teams try their best to avoid it and if you face one it'll be the result of a bug, it should be reported as potential security vulnerability and it's highly unlikely to be caused by the simple case you describe.
PDO don't cares about length by default. If you use MySQL as database, this cell will be automatically truncated to field length;