fix: Address code review feedback

- Fix SQL injection risk in SQLite PRAGMA queries by sanitizing table names
- Use null coalescing operator for cleaner default value check
- Import utility function at top level instead of dynamic import
- Add input sanitization for table names in introspection

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

packages/drivers/sql/src/index.ts

@@ -638,7 +638,10 @@ export class SqlDriver implements Driver {
                     });
                 }
             } else if (this.config.client === 'sqlite3') {
-                const result = await this.knex.raw(`PRAGMA foreign_key_list(${tableName})`);
+                // SQLite PRAGMA doesn't support parameter binding, so we need to ensure safe identifier
+                // Table names in ObjectQL are validated and should be safe, but we add extra protection
+                const safeTableName = tableName.replace(/[^a-zA-Z0-9_]/g, '');
+                const result = await this.knex.raw(`PRAGMA foreign_key_list(${safeTableName})`);
 
                 for (const row of result) {
                     foreignKeys.push({
@@ -689,7 +692,10 @@ export class SqlDriver implements Driver {
                     primaryKeys.push(row.column_name);
                 }
             } else if (this.config.client === 'sqlite3') {
-                const result = await this.knex.raw(`PRAGMA table_info(${tableName})`);
+                // SQLite PRAGMA doesn't support parameter binding, so we need to ensure safe identifier
+                // Table names in ObjectQL are validated and should be safe, but we add extra protection
+                const safeTableName = tableName.replace(/[^a-zA-Z0-9_]/g, '');
+                const result = await this.knex.raw(`PRAGMA table_info(${safeTableName})`);
 
                 for (const row of result) {
                     if (row.pk === 1) {

packages/foundation/core/src/app.ts

@@ -21,6 +21,7 @@ import { ObjectRepository } from './repository';
 import { executeActionHelper, registerActionHelper, ActionEntry } from './action';
 import { registerHookHelper, triggerHookHelper, HookEntry } from './hook';
 import { registerObjectHelper, getConfigsHelper } from './object';
+import { convertIntrospectedSchemaToObjects } from './util';
 
 export class ObjectQL implements IObjectQL {
     public metadata: MetadataRegistry;
@@ -183,9 +184,6 @@ export class ObjectQL implements IObjectQL {
         console.log(`Introspecting database schema from datasource '${datasourceName}'...`);
         const introspectedSchema = await driver.introspectSchema();
 
-        // Import the conversion utility
-        const { convertIntrospectedSchemaToObjects } = await import('./util');
-        
         // Convert introspected schema to ObjectQL objects
         const objects = convertIntrospectedSchemaToObjects(introspectedSchema, options);
 

packages/foundation/core/src/util.ts

@@ -123,13 +123,14 @@ export function convertIntrospectedSchemaToObjects(
                     fieldConfig.unique = true;
                 }
 
+                // Add max length for text fields
                 // Add max length for text fields
                 if (column.maxLength && (fieldType === 'text' || fieldType === 'textarea')) {
                     fieldConfig.max_length = column.maxLength;
                 }
 
                 // Add default value
-                if (column.defaultValue !== undefined && column.defaultValue !== null) {
+                if (column.defaultValue != null) {
                     fieldConfig.defaultValue = column.defaultValue;
                 }
             }