fix: QA 第二轮修复 — PatientDetail 重构/测试覆盖/id_number 列宽/小程序 URL 规范化

- refactor(web): PatientDetail.tsx 拆分为 4 个子组件(737→334行)
- refactor(web): 提取 usePaginatedData hook 消除重复分页状态
- feat(db): patient.id_number varchar(20)→varchar(255) 容纳加密值
- test(health): 添加预约模块集成测试(创建/列表/租户隔离)
- test(plugin): 添加 6 个 SQL 注入 sanitize 测试
- fix(miniprogram): 7 个 service 文件 URL 构建规范化(params 对象)
- fix(miniprogram): 跨平台字段名对齐(birth_date/start_time/end_time)

crates/erp-plugin/src/dynamic_table.rs

@@ -1678,4 +1678,91 @@ mod tests {
         );
         assert!(result.is_err(), "不支持的 grain 应报错");
     }
+
+    // ===== sanitize_identifier SQL 注入防护测试 =====
+
+    #[test]
+    fn test_sanitize_removes_special_chars() {
+        let result = sanitize_identifier("table;name'here\"with`special");
+        assert!(
+            !result.contains(';'),
+            "分号应被替换: {}",
+            result
+        );
+        assert!(
+            !result.contains('\''),
+            "单引号应被替换: {}",
+            result
+        );
+        assert!(
+            !result.contains('"'),
+            "双引号应被替换: {}",
+            result
+        );
+        assert!(
+            !result.contains('`'),
+            "反引号应被替换: {}",
+            result
+        );
+    }
+
+    #[test]
+    fn test_sanitize_allows_alphanumeric_underscore() {
+        let result = sanitize_identifier("my_table_123");
+        assert_eq!(
+            result, "my_table_123",
+            "合法标识符应原样保留"
+        );
+    }
+
+    #[test]
+    fn test_sanitize_handles_drop_table() {
+        let result = sanitize_identifier("users; DROP TABLE users;");
+        assert_eq!(
+            result, "users__DROP_TABLE_users_",
+            "DROP TABLE 注入应被清理为下划线: {}",
+            result
+        );
+        assert!(
+            !result.contains(';'),
+            "不应包含分号: {}",
+            result
+        );
+    }
+
+    #[test]
+    fn test_sanitize_handles_sql_comment() {
+        let result = sanitize_identifier("users--");
+        assert_eq!(
+            result, "users__",
+            "SQL 注释应被替换为下划线: {}",
+            result
+        );
+        assert!(
+            !result.contains('-'),
+            "不应包含连字符: {}",
+            result
+        );
+    }
+
+    #[test]
+    fn test_sanitize_handles_union_injection() {
+        let result = sanitize_identifier("users UNION SELECT");
+        assert_eq!(
+            result, "users_UNION_SELECT",
+            "UNION 注入中空格应被替换为下划线: {}",
+            result
+        );
+        assert!(
+            !result.contains(' '),
+            "不应包含空格: {}",
+            result
+        );
+    }
+
+    #[test]
+    fn test_sanitize_empty_string() {
+        let result = sanitize_identifier("");
+        assert_eq!(result, "", "空字符串应保持为空");
+    }
 }