security: SQL injection risk in database manager

[nfebe]

Problem

internal/database/manager.go (lines ~842, 869) builds SQL queries by concatenating table names via fmt.Sprintf:

fmt.Sprintf("DESCRIBE `%s`", table)
fmt.Sprintf("SHOW INDEX FROM `%s`", table)

The QueryTable function (line ~614-639) strips quotes/backticks but still uses string concatenation at lines ~650, 652. Backtick-wrapping is not a reliable escaping mechanism — a table name containing a backtick can break out.

Impact

Potential data exfiltration or unauthorized database manipulation if an attacker can influence table name inputs.

Proposed Fix

• Use parameterized identifier quoting from the database driver
• Validate table names against a strict allowlist regex (e.g., ^[a-zA-Z0-9_]{1,64}$)
• Reject any name that doesn't match before building the query