feat(sql): ✨ Improve base64 handling in SqlNull type

* Refactor base64 encoding and decoding checks for []byte types.
* Simplify type assertions using if statements instead of switch cases.

pkg/common/sql_helpers.go

@@ -130,6 +130,9 @@ func validateWhereClauseSecurity(where string) error {
 // Note: This function will NOT add prefixes to unprefixed columns. It will only fix
 // incorrect prefixes (e.g., wrong_table.column -> correct_table.column), unless the
 // prefix matches a preloaded relation name, in which case it's left unchanged.
+//
+// IMPORTANT: Outer parentheses are preserved if the clause contains top-level OR operators
+// to prevent OR logic from escaping and affecting the entire query incorrectly.
 func SanitizeWhereClause(where string, tableName string, options ...*RequestOptions) string {
 	if where == "" {
 		return ""
@@ -143,8 +146,19 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
 		return ""
 	}
 
-	// Strip outer parentheses and re-trim
-	where = stripOuterParentheses(where)
+	// Check if the original clause has outer parentheses and contains OR operators
+	// If so, we need to preserve the outer parentheses to prevent OR logic from escaping
+	hasOuterParens := false
+	if len(where) > 0 && where[0] == '(' && where[len(where)-1] == ')' {
+		_, hasOuterParens = stripOneMatchingOuterParen(where)
+	}
+
+	// Strip outer parentheses and re-trim for processing
+	whereWithoutParens := stripOuterParentheses(where)
+	shouldPreserveParens := hasOuterParens && containsTopLevelOR(whereWithoutParens)
+
+	// Use the stripped version for processing
+	where = whereWithoutParens
 
 	// Get valid columns from the model if tableName is provided
 	var validColumns map[string]bool
@@ -166,6 +180,14 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
 				logger.Debug("Added preload relation '%s' as allowed table prefix", options[0].Preload[pi].Relation)
 			}
 		}
+
+		// Add join aliases as allowed prefixes
+		for _, alias := range options[0].JoinAliases {
+			if alias != "" {
+				allowedPrefixes[alias] = true
+				logger.Debug("Added join alias '%s' as allowed table prefix", alias)
+			}
+		}
 	}
 
 	// Split by AND to handle multiple conditions
@@ -221,7 +243,14 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
 
 	result := strings.Join(validConditions, " AND ")
 
-	if result != where {
+	// If the original clause had outer parentheses and contains OR operators,
+	// restore the outer parentheses to prevent OR logic from escaping
+	if shouldPreserveParens {
+		result = "(" + result + ")"
+		logger.Debug("Preserved outer parentheses for OR conditions: '%s'", result)
+	}
+
+	if result != where && !shouldPreserveParens {
 		logger.Debug("Sanitized WHERE clause: '%s' -> '%s'", where, result)
 	}
 
@@ -282,6 +311,93 @@ func stripOneMatchingOuterParen(s string) (string, bool) {
 	return strings.TrimSpace(s[1 : len(s)-1]), true
 }
 
+// EnsureOuterParentheses ensures that a SQL clause is wrapped in parentheses
+// to prevent OR logic from escaping. It checks if the clause already has
+// matching outer parentheses and only adds them if they don't exist.
+//
+// This is particularly important for OR conditions and complex filters where
+// the absence of parentheses could cause the logic to escape and affect
+// the entire query incorrectly.
+//
+// Parameters:
+//   - clause: The SQL clause to check and potentially wrap
+//
+// Returns:
+//   - The clause with guaranteed outer parentheses, or empty string if input is empty
+func EnsureOuterParentheses(clause string) string {
+	if clause == "" {
+		return ""
+	}
+
+	clause = strings.TrimSpace(clause)
+	if clause == "" {
+		return ""
+	}
+
+	// Check if the clause already has matching outer parentheses
+	_, hasOuterParens := stripOneMatchingOuterParen(clause)
+
+	// If it already has matching outer parentheses, return as-is
+	if hasOuterParens {
+		return clause
+	}
+
+	// Otherwise, wrap it in parentheses
+	return "(" + clause + ")"
+}
+
+// containsTopLevelOR checks if a SQL clause contains OR operators at the top level
+// (i.e., not inside parentheses or subqueries). This is used to determine if
+// outer parentheses should be preserved to prevent OR logic from escaping.
+func containsTopLevelOR(clause string) bool {
+	if clause == "" {
+		return false
+	}
+
+	depth := 0
+	inSingleQuote := false
+	inDoubleQuote := false
+	lowerClause := strings.ToLower(clause)
+
+	for i := 0; i < len(clause); i++ {
+		ch := clause[i]
+
+		// Track quote state
+		if ch == '\'' && !inDoubleQuote {
+			inSingleQuote = !inSingleQuote
+			continue
+		}
+		if ch == '"' && !inSingleQuote {
+			inDoubleQuote = !inDoubleQuote
+			continue
+		}
+
+		// Skip if inside quotes
+		if inSingleQuote || inDoubleQuote {
+			continue
+		}
+
+		// Track parenthesis depth
+		switch ch {
+		case '(':
+			depth++
+		case ')':
+			depth--
+		}
+
+		// Only check for OR at depth 0 (not inside parentheses)
+		if depth == 0 && i+4 <= len(clause) {
+			// Check for " OR " (case-insensitive)
+			substring := lowerClause[i : i+4]
+			if substring == " or " {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 // splitByAND splits a WHERE clause by AND operators (case-insensitive)
 // This is parenthesis-aware and won't split on AND operators inside subqueries
 func splitByAND(where string) []string {

pkg/common/sql_helpers_test.go

@@ -659,6 +659,179 @@ func TestSanitizeWhereClauseWithModel(t *testing.T) {
 	}
 }
 
+func TestEnsureOuterParentheses(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected string
+	}{
+		{
+			name:     "no parentheses",
+			input:    "status = 'active'",
+			expected: "(status = 'active')",
+		},
+		{
+			name:     "already has outer parentheses",
+			input:    "(status = 'active')",
+			expected: "(status = 'active')",
+		},
+		{
+			name:     "OR condition without parentheses",
+			input:    "status = 'active' OR status = 'pending'",
+			expected: "(status = 'active' OR status = 'pending')",
+		},
+		{
+			name:     "OR condition with parentheses",
+			input:    "(status = 'active' OR status = 'pending')",
+			expected: "(status = 'active' OR status = 'pending')",
+		},
+		{
+			name:     "complex condition with nested parentheses",
+			input:    "(status = 'active' OR status = 'pending') AND (age > 18)",
+			expected: "((status = 'active' OR status = 'pending') AND (age > 18))",
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: "",
+		},
+		{
+			name:     "whitespace only",
+			input:    "   ",
+			expected: "",
+		},
+		{
+			name:     "mismatched parentheses - adds outer ones",
+			input:    "(status = 'active' OR status = 'pending'",
+			expected: "((status = 'active' OR status = 'pending')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := EnsureOuterParentheses(tt.input)
+			if result != tt.expected {
+				t.Errorf("EnsureOuterParentheses(%q) = %q; want %q", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestContainsTopLevelOR(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    string
+		expected bool
+	}{
+		{
+			name:     "no OR operator",
+			input:    "status = 'active' AND age > 18",
+			expected: false,
+		},
+		{
+			name:     "top-level OR",
+			input:    "status = 'active' OR status = 'pending'",
+			expected: true,
+		},
+		{
+			name:     "OR inside parentheses",
+			input:    "age > 18 AND (status = 'active' OR status = 'pending')",
+			expected: false,
+		},
+		{
+			name:     "OR in subquery",
+			input:    "id IN (SELECT id FROM users WHERE status = 'active' OR status = 'pending')",
+			expected: false,
+		},
+		{
+			name:     "OR inside quotes",
+			input:    "comment = 'this OR that'",
+			expected: false,
+		},
+		{
+			name:     "mixed - top-level OR and nested OR",
+			input:    "name = 'test' OR (status = 'active' OR status = 'pending')",
+			expected: true,
+		},
+		{
+			name:     "empty string",
+			input:    "",
+			expected: false,
+		},
+		{
+			name:     "lowercase or",
+			input:    "status = 'active' or status = 'pending'",
+			expected: true,
+		},
+		{
+			name:     "uppercase OR",
+			input:    "status = 'active' OR status = 'pending'",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := containsTopLevelOR(tt.input)
+			if result != tt.expected {
+				t.Errorf("containsTopLevelOR(%q) = %v; want %v", tt.input, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestSanitizeWhereClause_PreservesParenthesesWithOR(t *testing.T) {
+	tests := []struct {
+		name      string
+		where     string
+		tableName string
+		expected  string
+	}{
+		{
+			name:      "OR condition with outer parentheses - preserved",
+			where:     "(status = 'active' OR status = 'pending')",
+			tableName: "users",
+			expected:  "(users.status = 'active' OR users.status = 'pending')",
+		},
+		{
+			name:      "AND condition with outer parentheses - stripped (no OR)",
+			where:     "(status = 'active' AND age > 18)",
+			tableName: "users",
+			expected:  "users.status = 'active' AND users.age > 18",
+		},
+		{
+			name:      "complex OR with nested conditions",
+			where:     "((status = 'active' OR status = 'pending') AND age > 18)",
+			tableName: "users",
+			// Outer parens are stripped, but inner parens with OR are preserved
+			expected: "(users.status = 'active' OR users.status = 'pending') AND users.age > 18",
+		},
+		{
+			name:      "OR without outer parentheses - no parentheses added by SanitizeWhereClause",
+			where:     "status = 'active' OR status = 'pending'",
+			tableName: "users",
+			expected:  "users.status = 'active' OR users.status = 'pending'",
+		},
+		{
+			name:      "simple OR with parentheses - preserved",
+			where:     "(users.status = 'active' OR users.status = 'pending')",
+			tableName: "users",
+			// Already has correct prefixes, parentheses preserved
+			expected: "(users.status = 'active' OR users.status = 'pending')",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			prefixedWhere := AddTablePrefixToColumns(tt.where, tt.tableName)
+			result := SanitizeWhereClause(prefixedWhere, tt.tableName)
+			if result != tt.expected {
+				t.Errorf("SanitizeWhereClause(%q, %q) = %q; want %q", tt.where, tt.tableName, result, tt.expected)
+			}
+		})
+	}
+}
+
 func TestAddTablePrefixToColumns_ComplexConditions(t *testing.T) {
 tests := []struct {
 name      string

pkg/common/types.go

@@ -23,6 +23,10 @@ type RequestOptions struct {
 	CursorForward  string  `json:"cursor_forward"`
 	CursorBackward string  `json:"cursor_backward"`
 	FetchRowNumber *string `json:"fetch_row_number"`
+
+	// Join table aliases (used for validation of prefixed columns in filters/sorts)
+	// Not serialized to JSON as it's internal validation state
+	JoinAliases []string `json:"-"`
 }
 
 type Parameter struct {

pkg/common/validation.go

@@ -237,15 +237,29 @@ func (v *ColumnValidator) FilterRequestOptions(options RequestOptions) RequestOp
 	for _, sort := range options.Sort {
 		if v.IsValidColumn(sort.Column) {
 			validSorts = append(validSorts, sort)
-		} else if strings.HasPrefix(sort.Column, "(") && strings.HasSuffix(sort.Column, ")") {
-			// Allow sort by expression/subquery, but validate for security
-			if IsSafeSortExpression(sort.Column) {
-				validSorts = append(validSorts, sort)
-			} else {
-				logger.Warn("Unsafe sort expression '%s' removed", sort.Column)
-			}
 		} else {
-			logger.Warn("Invalid column in sort '%s' removed", sort.Column)
+			foundJoin := false
+			for _, j := range options.JoinAliases {
+				if strings.Contains(sort.Column, j) {
+					foundJoin = true
+					break
+				}
+			}
+			if foundJoin {
+				validSorts = append(validSorts, sort)
+				continue
+			}
+			if strings.HasPrefix(sort.Column, "(") && strings.HasSuffix(sort.Column, ")") {
+				// Allow sort by expression/subquery, but validate for security
+				if IsSafeSortExpression(sort.Column) {
+					validSorts = append(validSorts, sort)
+				} else {
+					logger.Warn("Unsafe sort expression '%s' removed", sort.Column)
+				}
+
+			} else {
+				logger.Warn("Invalid column in sort '%s' removed", sort.Column)
+			}
 		}
 	}
 	filtered.Sort = validSorts
@@ -291,6 +305,9 @@ func (v *ColumnValidator) FilterRequestOptions(options RequestOptions) RequestOp
 	}
 	filtered.Preload = validPreloads
 
+	// Clear JoinAliases - this is an internal validation field and should not be persisted
+	filtered.JoinAliases = nil
+
 	return filtered
 }
 

pkg/common/validation_test.go

@@ -362,6 +362,29 @@ func TestFilterRequestOptions(t *testing.T) {
 	}
 }
 
+func TestFilterRequestOptions_ClearsJoinAliases(t *testing.T) {
+	model := TestModel{}
+	validator := NewColumnValidator(model)
+
+	options := RequestOptions{
+		Columns: []string{"id", "name"},
+		// Set JoinAliases - this should be cleared by FilterRequestOptions
+		JoinAliases: []string{"d", "u", "r"},
+	}
+
+	filtered := validator.FilterRequestOptions(options)
+
+	// Verify that JoinAliases was cleared (internal field should not persist)
+	if filtered.JoinAliases != nil {
+		t.Errorf("Expected JoinAliases to be nil after filtering, got %v", filtered.JoinAliases)
+	}
+
+	// Verify that other fields are still properly filtered
+	if len(filtered.Columns) != 2 {
+		t.Errorf("Expected 2 columns, got %d", len(filtered.Columns))
+	}
+}
+
 func TestIsSafeSortExpression(t *testing.T) {
 	tests := []struct {
 		name       string

pkg/dbmanager/config.go

@@ -221,7 +221,10 @@ func (cc *ConnectionConfig) ApplyDefaults(global *ManagerConfig) {
 		cc.ConnectTimeout = 10 * time.Second
 	}
 	if cc.QueryTimeout == 0 {
-		cc.QueryTimeout = 30 * time.Second
+		cc.QueryTimeout = 2 * time.Minute // Default to 2 minutes
+	} else if cc.QueryTimeout < 2*time.Minute {
+		// Enforce minimum of 2 minutes
+		cc.QueryTimeout = 2 * time.Minute
 	}
 
 	// Default ORM
@@ -325,14 +328,29 @@ func (cc *ConnectionConfig) buildPostgresDSN() string {
 		dsn += fmt.Sprintf(" search_path=%s", cc.Schema)
 	}
 
+	// Add statement_timeout for query execution timeout (in milliseconds)
+	if cc.QueryTimeout > 0 {
+		timeoutMs := int(cc.QueryTimeout.Milliseconds())
+		dsn += fmt.Sprintf(" statement_timeout=%d", timeoutMs)
+	}
+
 	return dsn
 }
 
 func (cc *ConnectionConfig) buildSQLiteDSN() string {
-	if cc.FilePath != "" {
-		return cc.FilePath
+	filepath := cc.FilePath
+	if filepath == "" {
+		filepath = ":memory:"
 	}
-	return ":memory:"
+
+	// Add query parameters for timeouts
+	// Note: SQLite driver supports _timeout parameter (in milliseconds)
+	if cc.QueryTimeout > 0 {
+		timeoutMs := int(cc.QueryTimeout.Milliseconds())
+		filepath += fmt.Sprintf("?_timeout=%d", timeoutMs)
+	}
+
+	return filepath
 }
 
 func (cc *ConnectionConfig) buildMSSQLDSN() string {
@@ -344,6 +362,24 @@ func (cc *ConnectionConfig) buildMSSQLDSN() string {
 		dsn += fmt.Sprintf("&schema=%s", cc.Schema)
 	}
 
+	// Add connection timeout (in seconds)
+	if cc.ConnectTimeout > 0 {
+		timeoutSec := int(cc.ConnectTimeout.Seconds())
+		dsn += fmt.Sprintf("&connection timeout=%d", timeoutSec)
+	}
+
+	// Add dial timeout for TCP connection (in seconds)
+	if cc.ConnectTimeout > 0 {
+		dialTimeoutSec := int(cc.ConnectTimeout.Seconds())
+		dsn += fmt.Sprintf("&dial timeout=%d", dialTimeoutSec)
+	}
+
+	// Add read timeout (in seconds) - enforces timeout for reading data
+	if cc.QueryTimeout > 0 {
+		readTimeoutSec := int(cc.QueryTimeout.Seconds())
+		dsn += fmt.Sprintf("&read timeout=%d", readTimeoutSec)
+	}
+
 	return dsn
 }
 

pkg/dbmanager/providers/sqlite.go

@@ -76,8 +76,12 @@ func (p *SQLiteProvider) Connect(ctx context.Context, cfg ConnectionConfig) erro
 		// Don't fail connection if WAL mode cannot be enabled
 	}
 
-	// Set busy timeout to handle locked database
-	_, err = db.ExecContext(ctx, "PRAGMA busy_timeout=5000")
+	// Set busy timeout to handle locked database (minimum 2 minutes = 120000ms)
+	busyTimeout := cfg.GetQueryTimeout().Milliseconds()
+	if busyTimeout < 120000 {
+		busyTimeout = 120000 // Enforce minimum of 2 minutes
+	}
+	_, err = db.ExecContext(ctx, fmt.Sprintf("PRAGMA busy_timeout=%d", busyTimeout))
 	if err != nil {
 		if cfg.GetEnableLogging() {
 			logger.Warn("Failed to set busy timeout for SQLite", "error", err)

pkg/resolvespec/handler.go

@@ -318,6 +318,8 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 		if cursorFilter != "" {
 			logger.Debug("Applying cursor filter: %s", cursorFilter)
 			sanitizedCursor := common.SanitizeWhereClause(cursorFilter, reflection.ExtractTableNameOnly(tableName), &options)
+			// Ensure outer parentheses to prevent OR logic from escaping
+			sanitizedCursor = common.EnsureOuterParentheses(sanitizedCursor)
 			if sanitizedCursor != "" {
 				query = query.Where(sanitizedCursor)
 			}
@@ -1656,6 +1658,8 @@ func (h *Handler) applyPreloads(model interface{}, query common.SelectQuery, pre
 				// Build RequestOptions with all preloads to allow references to sibling relations
 				preloadOpts := &common.RequestOptions{Preload: preloads}
 				sanitizedWhere := common.SanitizeWhereClause(preload.Where, reflection.ExtractTableNameOnly(preload.Relation), preloadOpts)
+				// Ensure outer parentheses to prevent OR logic from escaping
+				sanitizedWhere = common.EnsureOuterParentheses(sanitizedWhere)
 				if len(sanitizedWhere) > 0 {
 					sq = sq.Where(sanitizedWhere)
 				}

pkg/restheadspec/HEADERS.md

@@ -233,6 +233,27 @@ x-custom-sql-join: LEFT JOIN departments d ON d.id = e.dept_id | INNER JOIN role
 - Multiple JOINs can be specified using the pipe `|` separator
 - JOINs are sanitized for security
 - Can be specified via headers or query parameters
+- **Table aliases are automatically extracted and allowed for filtering and sorting**
+
+**Using Join Aliases in Filters and Sorts:**
+
+When you specify a custom SQL join with an alias, you can use that alias in your filter and sort parameters:
+
+```
+# Join with alias
+x-custom-sql-join: LEFT JOIN departments d ON d.id = employees.department_id
+
+# Sort by joined table column
+x-sort: d.name,employees.id
+
+# Filter by joined table column
+x-searchop-eq-d.name: Engineering
+```
+
+The system automatically:
+1. Extracts the alias from the JOIN clause (e.g., `d` from `departments d`)
+2. Validates that prefixed columns (like `d.name`) refer to valid join aliases
+3. Allows these prefixed columns in filters and sorts
 
 ---
 

pkg/restheadspec/handler.go

@@ -463,7 +463,8 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 	}
 
 	// Apply filters - validate and adjust for column types first
-	for i := range options.Filters {
+	// Group consecutive OR filters together to prevent OR logic from escaping
+	for i := 0; i < len(options.Filters); {
 		filter := &options.Filters[i]
 
 		// Validate and adjust filter based on column type
@@ -475,8 +476,39 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 			logicOp = "AND"
 		}
 
-		logger.Debug("Applying filter: %s %s %v (needsCast=%v, logic=%s)", filter.Column, filter.Operator, filter.Value, castInfo.NeedsCast, logicOp)
-		query = h.applyFilter(query, *filter, tableName, castInfo.NeedsCast, logicOp)
+		// Check if this is the start of an OR group
+		if logicOp == "OR" {
+			// Collect all consecutive OR filters
+			orFilters := []*common.FilterOption{filter}
+			orCastInfo := []ColumnCastInfo{castInfo}
+
+			j := i + 1
+			for j < len(options.Filters) {
+				nextFilter := &options.Filters[j]
+				nextLogicOp := nextFilter.LogicOperator
+				if nextLogicOp == "" {
+					nextLogicOp = "AND"
+				}
+				if nextLogicOp == "OR" {
+					nextCastInfo := h.ValidateAndAdjustFilterForColumnType(nextFilter, model)
+					orFilters = append(orFilters, nextFilter)
+					orCastInfo = append(orCastInfo, nextCastInfo)
+					j++
+				} else {
+					break
+				}
+			}
+
+			// Apply the OR group as a single grouped condition
+			logger.Debug("Applying OR filter group with %d conditions", len(orFilters))
+			query = h.applyOrFilterGroup(query, orFilters, orCastInfo, tableName)
+			i = j
+		} else {
+			// Single AND filter - apply normally
+			logger.Debug("Applying filter: %s %s %v (needsCast=%v, logic=%s)", filter.Column, filter.Operator, filter.Value, castInfo.NeedsCast, logicOp)
+			query = h.applyFilter(query, *filter, tableName, castInfo.NeedsCast, logicOp)
+			i++
+		}
 	}
 
 	// Apply custom SQL WHERE clause (AND condition)
@@ -486,6 +518,8 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 		prefixedWhere := common.AddTablePrefixToColumns(options.CustomSQLWhere, reflection.ExtractTableNameOnly(tableName))
 		// Then sanitize and allow preload table prefixes since custom SQL may reference multiple tables
 		sanitizedWhere := common.SanitizeWhereClause(prefixedWhere, reflection.ExtractTableNameOnly(tableName), &options.RequestOptions)
+		// Ensure outer parentheses to prevent OR logic from escaping
+		sanitizedWhere = common.EnsureOuterParentheses(sanitizedWhere)
 		if sanitizedWhere != "" {
 			query = query.Where(sanitizedWhere)
 		}
@@ -497,6 +531,8 @@ func (h *Handler) handleRead(ctx context.Context, w common.ResponseWriter, id st
 		customOr := common.AddTablePrefixToColumns(options.CustomSQLOr, reflection.ExtractTableNameOnly(tableName))
 		// Sanitize and allow preload table prefixes since custom SQL may reference multiple tables
 		sanitizedOr := common.SanitizeWhereClause(customOr, reflection.ExtractTableNameOnly(tableName), &options.RequestOptions)
+		// Ensure outer parentheses to prevent OR logic from escaping
+		sanitizedOr = common.EnsureOuterParentheses(sanitizedOr)
 		if sanitizedOr != "" {
 			query = query.WhereOr(sanitizedOr)
 		}
@@ -1996,6 +2032,99 @@ func (h *Handler) applyFilter(query common.SelectQuery, filter common.FilterOpti
 	}
 }
 
+// applyOrFilterGroup applies a group of OR filters as a single grouped condition
+// This ensures OR conditions are properly grouped with parentheses to prevent OR logic from escaping
+func (h *Handler) applyOrFilterGroup(query common.SelectQuery, filters []*common.FilterOption, castInfo []ColumnCastInfo, tableName string) common.SelectQuery {
+	if len(filters) == 0 {
+		return query
+	}
+
+	// Build individual filter conditions
+	conditions := []string{}
+	args := []interface{}{}
+
+	for i, filter := range filters {
+		// Qualify the column name with table name if not already qualified
+		qualifiedColumn := h.qualifyColumnName(filter.Column, tableName)
+
+		// Apply casting to text if needed for non-numeric columns or non-numeric values
+		if castInfo[i].NeedsCast {
+			qualifiedColumn = fmt.Sprintf("CAST(%s AS TEXT)", qualifiedColumn)
+		}
+
+		// Build the condition based on operator
+		condition, filterArgs := h.buildFilterCondition(qualifiedColumn, filter, tableName)
+		if condition != "" {
+			conditions = append(conditions, condition)
+			args = append(args, filterArgs...)
+		}
+	}
+
+	if len(conditions) == 0 {
+		return query
+	}
+
+	// Join all conditions with OR and wrap in parentheses
+	groupedCondition := "(" + strings.Join(conditions, " OR ") + ")"
+	logger.Debug("Applying grouped OR conditions: %s", groupedCondition)
+
+	// Apply as AND condition (the OR is already inside the parentheses)
+	return query.Where(groupedCondition, args...)
+}
+
+// buildFilterCondition builds a single filter condition and returns the condition string and args
+func (h *Handler) buildFilterCondition(qualifiedColumn string, filter *common.FilterOption, tableName string) (filterStr string, filterInterface []interface{}) {
+	switch strings.ToLower(filter.Operator) {
+	case "eq", "equals":
+		return fmt.Sprintf("%s = ?", qualifiedColumn), []interface{}{filter.Value}
+	case "neq", "not_equals", "ne":
+		return fmt.Sprintf("%s != ?", qualifiedColumn), []interface{}{filter.Value}
+	case "gt", "greater_than":
+		return fmt.Sprintf("%s > ?", qualifiedColumn), []interface{}{filter.Value}
+	case "gte", "greater_than_equals", "ge":
+		return fmt.Sprintf("%s >= ?", qualifiedColumn), []interface{}{filter.Value}
+	case "lt", "less_than":
+		return fmt.Sprintf("%s < ?", qualifiedColumn), []interface{}{filter.Value}
+	case "lte", "less_than_equals", "le":
+		return fmt.Sprintf("%s <= ?", qualifiedColumn), []interface{}{filter.Value}
+	case "like":
+		return fmt.Sprintf("%s LIKE ?", qualifiedColumn), []interface{}{filter.Value}
+	case "ilike":
+		return fmt.Sprintf("%s ILIKE ?", qualifiedColumn), []interface{}{filter.Value}
+	case "in":
+		return fmt.Sprintf("%s IN (?)", qualifiedColumn), []interface{}{filter.Value}
+	case "between":
+		// Handle between operator - exclusive (> val1 AND < val2)
+		if values, ok := filter.Value.([]interface{}); ok && len(values) == 2 {
+			return fmt.Sprintf("(%s > ? AND %s < ?)", qualifiedColumn, qualifiedColumn), []interface{}{values[0], values[1]}
+		} else if values, ok := filter.Value.([]string); ok && len(values) == 2 {
+			return fmt.Sprintf("(%s > ? AND %s < ?)", qualifiedColumn, qualifiedColumn), []interface{}{values[0], values[1]}
+		}
+		logger.Warn("Invalid BETWEEN filter value format")
+		return "", nil
+	case "between_inclusive":
+		// Handle between inclusive operator - inclusive (>= val1 AND <= val2)
+		if values, ok := filter.Value.([]interface{}); ok && len(values) == 2 {
+			return fmt.Sprintf("(%s >= ? AND %s <= ?)", qualifiedColumn, qualifiedColumn), []interface{}{values[0], values[1]}
+		} else if values, ok := filter.Value.([]string); ok && len(values) == 2 {
+			return fmt.Sprintf("(%s >= ? AND %s <= ?)", qualifiedColumn, qualifiedColumn), []interface{}{values[0], values[1]}
+		}
+		logger.Warn("Invalid BETWEEN INCLUSIVE filter value format")
+		return "", nil
+	case "is_null", "isnull":
+		// Check for NULL values - don't use cast for NULL checks
+		colName := h.qualifyColumnName(filter.Column, tableName)
+		return fmt.Sprintf("(%s IS NULL OR %s = '')", colName, colName), nil
+	case "is_not_null", "isnotnull":
+		// Check for NOT NULL values - don't use cast for NULL checks
+		colName := h.qualifyColumnName(filter.Column, tableName)
+		return fmt.Sprintf("(%s IS NOT NULL AND %s != '')", colName, colName), nil
+	default:
+		logger.Warn("Unknown filter operator: %s, defaulting to equals", filter.Operator)
+		return fmt.Sprintf("%s = ?", qualifiedColumn), []interface{}{filter.Value}
+	}
+}
+
 // parseTableName splits a table name that may contain schema into separate schema and table
 func (h *Handler) parseTableName(fullTableName string) (schema, table string) {
 	if idx := strings.LastIndex(fullTableName, "."); idx != -1 {

pkg/restheadspec/headers.go

@@ -28,6 +28,7 @@ type ExtendedRequestOptions struct {
 	// Joins
 	Expand        []ExpandOption
 	CustomSQLJoin []string // Custom SQL JOIN clauses
+	JoinAliases   []string // Extracted table aliases from CustomSQLJoin for validation
 
 	// Advanced features
 	AdvancedSQL map[string]string // Column -> SQL expression
@@ -528,11 +529,69 @@ func (h *Handler) parseCustomSQLJoin(options *ExtendedRequestOptions, value stri
 			continue
 		}
 
+		// Extract table alias from the JOIN clause
+		alias := extractJoinAlias(sanitizedJoin)
+		if alias != "" {
+			options.JoinAliases = append(options.JoinAliases, alias)
+			// Also add to the embedded RequestOptions for validation
+			options.RequestOptions.JoinAliases = append(options.RequestOptions.JoinAliases, alias)
+			logger.Debug("Extracted join alias: %s", alias)
+		}
+
 		logger.Debug("Adding custom SQL join: %s", sanitizedJoin)
 		options.CustomSQLJoin = append(options.CustomSQLJoin, sanitizedJoin)
 	}
 }
 
+// extractJoinAlias extracts the table alias from a JOIN clause
+// Examples:
+//   - "LEFT JOIN departments d ON ..." -> "d"
+//   - "INNER JOIN users AS u ON ..." -> "u"
+//   - "JOIN roles r ON ..." -> "r"
+func extractJoinAlias(joinClause string) string {
+	// Pattern: JOIN table_name [AS] alias ON ...
+	// We need to extract the alias (word before ON)
+
+	upperJoin := strings.ToUpper(joinClause)
+
+	// Find the "JOIN" keyword position
+	joinIdx := strings.Index(upperJoin, "JOIN")
+	if joinIdx == -1 {
+		return ""
+	}
+
+	// Find the "ON" keyword position
+	onIdx := strings.Index(upperJoin, " ON ")
+	if onIdx == -1 {
+		return ""
+	}
+
+	// Extract the part between JOIN and ON
+	betweenJoinAndOn := strings.TrimSpace(joinClause[joinIdx+4 : onIdx])
+
+	// Split by spaces to get words
+	words := strings.Fields(betweenJoinAndOn)
+	if len(words) == 0 {
+		return ""
+	}
+
+	// If there's an AS keyword, the alias is after it
+	for i, word := range words {
+		if strings.EqualFold(word, "AS") && i+1 < len(words) {
+			return words[i+1]
+		}
+	}
+
+	// Otherwise, the alias is the last word (if there are 2+ words)
+	// Format: "table_name alias" or just "table_name"
+	if len(words) >= 2 {
+		return words[len(words)-1]
+	}
+
+	// Only one word means it's just the table name, no alias
+	return ""
+}
+
 // parseSorting parses x-sort header
 // Format: +field1,-field2,field3 (+ for ASC, - for DESC, default ASC)
 func (h *Handler) parseSorting(options *ExtendedRequestOptions, value string) {

pkg/restheadspec/query_params_test.go

@@ -357,6 +357,107 @@ func TestParseOptionsFromQueryParams(t *testing.T) {
 				}
 			},
 		},
+		{
+			name: "Extract aliases from custom SQL JOIN",
+			queryParams: map[string]string{
+				"x-custom-sql-join": `LEFT JOIN departments d ON d.id = employees.department_id`,
+			},
+			validate: func(t *testing.T, options ExtendedRequestOptions) {
+				if len(options.JoinAliases) == 0 {
+					t.Error("Expected JoinAliases to be extracted")
+					return
+				}
+				if len(options.JoinAliases) != 1 {
+					t.Errorf("Expected 1 join alias, got %d", len(options.JoinAliases))
+					return
+				}
+				if options.JoinAliases[0] != "d" {
+					t.Errorf("Expected join alias 'd', got %q", options.JoinAliases[0])
+				}
+				// Also check that it's in the embedded RequestOptions
+				if len(options.RequestOptions.JoinAliases) != 1 || options.RequestOptions.JoinAliases[0] != "d" {
+					t.Error("Expected join alias to also be in RequestOptions.JoinAliases")
+				}
+			},
+		},
+		{
+			name: "Extract multiple aliases from multiple custom SQL JOINs",
+			queryParams: map[string]string{
+				"x-custom-sql-join": `LEFT JOIN departments d ON d.id = e.dept_id | INNER JOIN roles AS r ON r.id = e.role_id`,
+			},
+			validate: func(t *testing.T, options ExtendedRequestOptions) {
+				if len(options.JoinAliases) != 2 {
+					t.Errorf("Expected 2 join aliases, got %d", len(options.JoinAliases))
+					return
+				}
+				expectedAliases := []string{"d", "r"}
+				for i, expected := range expectedAliases {
+					if options.JoinAliases[i] != expected {
+						t.Errorf("Expected join alias[%d]=%q, got %q", i, expected, options.JoinAliases[i])
+					}
+				}
+			},
+		},
+		{
+			name: "Custom JOIN with sort on joined table",
+			queryParams: map[string]string{
+				"x-custom-sql-join": `LEFT JOIN departments d ON d.id = employees.department_id`,
+				"x-sort":            "d.name,employees.id",
+			},
+			validate: func(t *testing.T, options ExtendedRequestOptions) {
+				// Verify join was added
+				if len(options.CustomSQLJoin) != 1 {
+					t.Errorf("Expected 1 custom SQL join, got %d", len(options.CustomSQLJoin))
+					return
+				}
+				// Verify alias was extracted
+				if len(options.JoinAliases) != 1 || options.JoinAliases[0] != "d" {
+					t.Error("Expected join alias 'd' to be extracted")
+					return
+				}
+				// Verify sort was parsed
+				if len(options.Sort) != 2 {
+					t.Errorf("Expected 2 sort options, got %d", len(options.Sort))
+					return
+				}
+				if options.Sort[0].Column != "d.name" {
+					t.Errorf("Expected first sort column 'd.name', got %q", options.Sort[0].Column)
+				}
+				if options.Sort[1].Column != "employees.id" {
+					t.Errorf("Expected second sort column 'employees.id', got %q", options.Sort[1].Column)
+				}
+			},
+		},
+		{
+			name: "Custom JOIN with filter on joined table",
+			queryParams: map[string]string{
+				"x-custom-sql-join":    `LEFT JOIN departments d ON d.id = employees.department_id`,
+				"x-searchop-eq-d.name": "Engineering",
+			},
+			validate: func(t *testing.T, options ExtendedRequestOptions) {
+				// Verify join was added
+				if len(options.CustomSQLJoin) != 1 {
+					t.Error("Expected 1 custom SQL join")
+					return
+				}
+				// Verify alias was extracted
+				if len(options.JoinAliases) != 1 || options.JoinAliases[0] != "d" {
+					t.Error("Expected join alias 'd' to be extracted")
+					return
+				}
+				// Verify filter was parsed
+				if len(options.Filters) != 1 {
+					t.Errorf("Expected 1 filter, got %d", len(options.Filters))
+					return
+				}
+				if options.Filters[0].Column != "d.name" {
+					t.Errorf("Expected filter column 'd.name', got %q", options.Filters[0].Column)
+				}
+				if options.Filters[0].Operator != "eq" {
+					t.Errorf("Expected filter operator 'eq', got %q", options.Filters[0].Operator)
+				}
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -451,6 +552,55 @@ func TestHeadersAndQueryParamsCombined(t *testing.T) {
 	}
 }
 
+// TestCustomJoinAliasExtraction tests the extractJoinAlias helper function
+func TestCustomJoinAliasExtraction(t *testing.T) {
+	tests := []struct {
+		name     string
+		join     string
+		expected string
+	}{
+		{
+			name:     "LEFT JOIN with alias",
+			join:     "LEFT JOIN departments d ON d.id = employees.department_id",
+			expected: "d",
+		},
+		{
+			name:     "INNER JOIN with AS keyword",
+			join:     "INNER JOIN users AS u ON u.id = posts.user_id",
+			expected: "u",
+		},
+		{
+			name:     "Simple JOIN with alias",
+			join:     "JOIN roles r ON r.id = user_roles.role_id",
+			expected: "r",
+		},
+		{
+			name:     "JOIN without alias (just table name)",
+			join:     "JOIN departments ON departments.id = employees.dept_id",
+			expected: "",
+		},
+		{
+			name:     "RIGHT JOIN with alias",
+			join:     "RIGHT JOIN orders o ON o.customer_id = customers.id",
+			expected: "o",
+		},
+		{
+			name:     "FULL OUTER JOIN with AS",
+			join:     "FULL OUTER JOIN products AS p ON p.id = order_items.product_id",
+			expected: "p",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := extractJoinAlias(tt.join)
+			if result != tt.expected {
+				t.Errorf("extractJoinAlias(%q) = %q, want %q", tt.join, result, tt.expected)
+			}
+		})
+	}
+}
+
 // Helper function to check if a string contains a substring
 func contains(s, substr string) bool {
 	return len(s) >= len(substr) && (s == substr || len(s) > len(substr) && containsHelper(s, substr))

pkg/server/manager.go

@@ -411,7 +411,9 @@ func newInstance(cfg Config) (*serverInstance, error) {
 		return nil, fmt.Errorf("handler cannot be nil")
 	}
 
-	// Set default timeouts
+	// Set default timeouts with minimum of 10 minutes for connection timeouts
+	minConnectionTimeout := 10 * time.Minute
+
 	if cfg.ShutdownTimeout == 0 {
 		cfg.ShutdownTimeout = 30 * time.Second
 	}
@@ -419,13 +421,22 @@ func newInstance(cfg Config) (*serverInstance, error) {
 		cfg.DrainTimeout = 25 * time.Second
 	}
 	if cfg.ReadTimeout == 0 {
-		cfg.ReadTimeout = 15 * time.Second
+		cfg.ReadTimeout = minConnectionTimeout
+	} else if cfg.ReadTimeout < minConnectionTimeout {
+		// Enforce minimum of 10 minutes
+		cfg.ReadTimeout = minConnectionTimeout
 	}
 	if cfg.WriteTimeout == 0 {
-		cfg.WriteTimeout = 15 * time.Second
+		cfg.WriteTimeout = minConnectionTimeout
+	} else if cfg.WriteTimeout < minConnectionTimeout {
+		// Enforce minimum of 10 minutes
+		cfg.WriteTimeout = minConnectionTimeout
 	}
 	if cfg.IdleTimeout == 0 {
-		cfg.IdleTimeout = 60 * time.Second
+		cfg.IdleTimeout = minConnectionTimeout
+	} else if cfg.IdleTimeout < minConnectionTimeout {
+		// Enforce minimum of 10 minutes
+		cfg.IdleTimeout = minConnectionTimeout
 	}
 
 	addr := fmt.Sprintf("%s:%d", cfg.Host, cfg.Port)

pkg/spectypes/sql_types.go

@@ -4,6 +4,7 @@ package spectypes
 import (
 	"database/sql"
 	"database/sql/driver"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"reflect"
@@ -60,7 +61,33 @@ func (n *SqlNull[T]) Scan(value any) error {
 		return nil
 	}
 
-	// Try standard sql.Null[T] first.
+	// Check if T is []byte, and decode base64 if applicable
+	// Do this BEFORE trying sql.Null to ensure base64 is handled
+	var zero T
+	if _, ok := any(zero).([]byte); ok {
+		// For []byte types, try to decode from base64
+		var strVal string
+		switch v := value.(type) {
+		case string:
+			strVal = v
+		case []byte:
+			strVal = string(v)
+		default:
+			strVal = fmt.Sprintf("%v", value)
+		}
+		// Try base64 decode
+		if decoded, err := base64.StdEncoding.DecodeString(strVal); err == nil {
+			n.Val = any(decoded).(T)
+			n.Valid = true
+			return nil
+		}
+		// Fallback to raw bytes
+		n.Val = any([]byte(strVal)).(T)
+		n.Valid = true
+		return nil
+	}
+
+	// Try standard sql.Null[T] for other types.
 	var sqlNull sql.Null[T]
 	if err := sqlNull.Scan(value); err == nil {
 		n.Val = sqlNull.V
@@ -122,6 +149,9 @@ func (n *SqlNull[T]) FromString(s string) error {
 			n.Val = any(u).(T)
 			n.Valid = true
 		}
+	case []byte:
+		n.Val = any([]byte(s)).(T)
+		n.Valid = true
 	case string:
 		n.Val = any(s).(T)
 		n.Valid = true
@@ -149,6 +179,14 @@ func (n SqlNull[T]) MarshalJSON() ([]byte, error) {
 	if !n.Valid {
 		return []byte("null"), nil
 	}
+
+	// Check if T is []byte, and encode to base64
+	if _, ok := any(n.Val).([]byte); ok {
+		// Encode []byte as base64
+		encoded := base64.StdEncoding.EncodeToString(any(n.Val).([]byte))
+		return json.Marshal(encoded)
+	}
+
 	return json.Marshal(n.Val)
 }
 
@@ -160,8 +198,25 @@ func (n *SqlNull[T]) UnmarshalJSON(b []byte) error {
 		return nil
 	}
 
-	// Try direct unmarshal.
+	// Check if T is []byte, and decode from base64
 	var val T
+	if _, ok := any(val).([]byte); ok {
+		// Unmarshal as string first (JSON representation)
+		var s string
+		if err := json.Unmarshal(b, &s); err == nil {
+			// Decode from base64
+			if decoded, err := base64.StdEncoding.DecodeString(s); err == nil {
+				n.Val = any(decoded).(T)
+				n.Valid = true
+				return nil
+			}
+			// Fallback to raw string as bytes
+			n.Val = any([]byte(s)).(T)
+			n.Valid = true
+			return nil
+		}
+	}
+
 	if err := json.Unmarshal(b, &val); err == nil {
 		n.Val = val
 		n.Valid = true
@@ -271,13 +326,14 @@ func (n SqlNull[T]) UUID() uuid.UUID {
 
 // Type aliases for common types.
 type (
-	SqlInt16   = SqlNull[int16]
-	SqlInt32   = SqlNull[int32]
-	SqlInt64   = SqlNull[int64]
-	SqlFloat64 = SqlNull[float64]
-	SqlBool    = SqlNull[bool]
-	SqlString  = SqlNull[string]
-	SqlUUID    = SqlNull[uuid.UUID]
+	SqlInt16     = SqlNull[int16]
+	SqlInt32     = SqlNull[int32]
+	SqlInt64     = SqlNull[int64]
+	SqlFloat64   = SqlNull[float64]
+	SqlBool      = SqlNull[bool]
+	SqlString    = SqlNull[string]
+	SqlByteArray = SqlNull[[]byte]
+	SqlUUID      = SqlNull[uuid.UUID]
 )
 
 // SqlTimeStamp - Timestamp with custom formatting (YYYY-MM-DDTHH:MM:SS).
@@ -581,6 +637,10 @@ func NewSqlString(v string) SqlString {
 	return SqlString{Val: v, Valid: true}
 }
 
+func NewSqlByteArray(v []byte) SqlByteArray {
+	return SqlByteArray{Val: v, Valid: true}
+}
+
 func NewSqlUUID(v uuid.UUID) SqlUUID {
 	return SqlUUID{Val: v, Valid: true}
 }

pkg/spectypes/sql_types_test.go

@@ -565,3 +565,394 @@ func TestTryIfInt64(t *testing.T) {
 		})
 	}
 }
+
+// TestSqlString tests SqlString without base64 (plain text)
+func TestSqlString_Scan(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    interface{}
+		expected string
+		valid    bool
+	}{
+		{
+			name:     "plain string",
+			input:    "hello world",
+			expected: "hello world",
+			valid:    true,
+		},
+		{
+			name:     "plain text",
+			input:    "plain text",
+			expected: "plain text",
+			valid:    true,
+		},
+		{
+			name:     "bytes as string",
+			input:    []byte("raw bytes"),
+			expected: "raw bytes",
+			valid:    true,
+		},
+		{
+			name:     "nil value",
+			input:    nil,
+			expected: "",
+			valid:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var s SqlString
+			if err := s.Scan(tt.input); err != nil {
+				t.Fatalf("Scan failed: %v", err)
+			}
+			if s.Valid != tt.valid {
+				t.Errorf("expected valid=%v, got valid=%v", tt.valid, s.Valid)
+			}
+			if tt.valid && s.String() != tt.expected {
+				t.Errorf("expected %q, got %q", tt.expected, s.String())
+			}
+		})
+	}
+}
+
+func TestSqlString_JSON(t *testing.T) {
+	tests := []struct {
+		name           string
+		inputValue     string
+		expectedJSON   string
+		expectedDecode string
+	}{
+		{
+			name:           "simple string",
+			inputValue:     "hello world",
+			expectedJSON:   `"hello world"`, // plain text, not base64
+			expectedDecode: "hello world",
+		},
+		{
+			name:           "special characters",
+			inputValue:     "test@#$%",
+			expectedJSON:   `"test@#$%"`, // plain text, not base64
+			expectedDecode: "test@#$%",
+		},
+		{
+			name:           "unicode string",
+			inputValue:     "Hello 世界",
+			expectedJSON:   `"Hello 世界"`, // plain text, not base64
+			expectedDecode: "Hello 世界",
+		},
+		{
+			name:           "empty string",
+			inputValue:     "",
+			expectedJSON:   `""`,
+			expectedDecode: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test MarshalJSON
+			s := NewSqlString(tt.inputValue)
+			data, err := json.Marshal(s)
+			if err != nil {
+				t.Fatalf("Marshal failed: %v", err)
+			}
+			if string(data) != tt.expectedJSON {
+				t.Errorf("Marshal: expected %s, got %s", tt.expectedJSON, string(data))
+			}
+
+			// Test UnmarshalJSON
+			var s2 SqlString
+			if err := json.Unmarshal(data, &s2); err != nil {
+				t.Fatalf("Unmarshal failed: %v", err)
+			}
+			if !s2.Valid {
+				t.Error("expected valid=true after unmarshal")
+			}
+			if s2.String() != tt.expectedDecode {
+				t.Errorf("Unmarshal: expected %q, got %q", tt.expectedDecode, s2.String())
+			}
+		})
+	}
+}
+
+func TestSqlString_JSON_Null(t *testing.T) {
+	// Test null handling
+	var s SqlString
+	if err := json.Unmarshal([]byte("null"), &s); err != nil {
+		t.Fatalf("Unmarshal null failed: %v", err)
+	}
+	if s.Valid {
+		t.Error("expected invalid after unmarshaling null")
+	}
+
+	// Test marshal null
+	data, err := json.Marshal(s)
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+	if string(data) != "null" {
+		t.Errorf("expected null, got %s", string(data))
+	}
+}
+
+// TestSqlByteArray_Base64 tests SqlByteArray with base64 encoding/decoding
+func TestSqlByteArray_Base64_Scan(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    interface{}
+		expected []byte
+		valid    bool
+	}{
+		{
+			name:     "base64 encoded bytes from SQL",
+			input:    "aGVsbG8gd29ybGQ=", // "hello world" in base64
+			expected: []byte("hello world"),
+			valid:    true,
+		},
+		{
+			name:     "plain bytes fallback",
+			input:    "plain text",
+			expected: []byte("plain text"),
+			valid:    true,
+		},
+		{
+			name:     "bytes base64 encoded",
+			input:    []byte("SGVsbG8gR29waGVy"), // "Hello Gopher" in base64
+			expected: []byte("Hello Gopher"),
+			valid:    true,
+		},
+		{
+			name:     "bytes plain fallback",
+			input:    []byte("raw bytes"),
+			expected: []byte("raw bytes"),
+			valid:    true,
+		},
+		{
+			name:     "binary data",
+			input:    "AQIDBA==", // []byte{1, 2, 3, 4} in base64
+			expected: []byte{1, 2, 3, 4},
+			valid:    true,
+		},
+		{
+			name:     "nil value",
+			input:    nil,
+			expected: nil,
+			valid:    false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var b SqlByteArray
+			if err := b.Scan(tt.input); err != nil {
+				t.Fatalf("Scan failed: %v", err)
+			}
+			if b.Valid != tt.valid {
+				t.Errorf("expected valid=%v, got valid=%v", tt.valid, b.Valid)
+			}
+			if tt.valid {
+				if string(b.Val) != string(tt.expected) {
+					t.Errorf("expected %q, got %q", tt.expected, b.Val)
+				}
+			}
+		})
+	}
+}
+
+func TestSqlByteArray_Base64_JSON(t *testing.T) {
+	tests := []struct {
+		name           string
+		inputValue     []byte
+		expectedJSON   string
+		expectedDecode []byte
+	}{
+		{
+			name:           "text bytes",
+			inputValue:     []byte("hello world"),
+			expectedJSON:   `"aGVsbG8gd29ybGQ="`, // base64 encoded
+			expectedDecode: []byte("hello world"),
+		},
+		{
+			name:           "binary data",
+			inputValue:     []byte{0x01, 0x02, 0x03, 0x04, 0xFF},
+			expectedJSON:   `"AQIDBP8="`, // base64 encoded
+			expectedDecode: []byte{0x01, 0x02, 0x03, 0x04, 0xFF},
+		},
+		{
+			name:           "empty bytes",
+			inputValue:     []byte{},
+			expectedJSON:   `""`, // base64 of empty bytes
+			expectedDecode: []byte{},
+		},
+		{
+			name:           "unicode bytes",
+			inputValue:     []byte("Hello 世界"),
+			expectedJSON:   `"SGVsbG8g5LiW55WM"`, // base64 encoded
+			expectedDecode: []byte("Hello 世界"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Test MarshalJSON
+			b := NewSqlByteArray(tt.inputValue)
+			data, err := json.Marshal(b)
+			if err != nil {
+				t.Fatalf("Marshal failed: %v", err)
+			}
+			if string(data) != tt.expectedJSON {
+				t.Errorf("Marshal: expected %s, got %s", tt.expectedJSON, string(data))
+			}
+
+			// Test UnmarshalJSON
+			var b2 SqlByteArray
+			if err := json.Unmarshal(data, &b2); err != nil {
+				t.Fatalf("Unmarshal failed: %v", err)
+			}
+			if !b2.Valid {
+				t.Error("expected valid=true after unmarshal")
+			}
+			if string(b2.Val) != string(tt.expectedDecode) {
+				t.Errorf("Unmarshal: expected %v, got %v", tt.expectedDecode, b2.Val)
+			}
+		})
+	}
+}
+
+func TestSqlByteArray_Base64_JSON_Null(t *testing.T) {
+	// Test null handling
+	var b SqlByteArray
+	if err := json.Unmarshal([]byte("null"), &b); err != nil {
+		t.Fatalf("Unmarshal null failed: %v", err)
+	}
+	if b.Valid {
+		t.Error("expected invalid after unmarshaling null")
+	}
+
+	// Test marshal null
+	data, err := json.Marshal(b)
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+	if string(data) != "null" {
+		t.Errorf("expected null, got %s", string(data))
+	}
+}
+
+func TestSqlByteArray_Value(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    SqlByteArray
+		expected interface{}
+	}{
+		{
+			name:     "valid bytes",
+			input:    NewSqlByteArray([]byte("test data")),
+			expected: []byte("test data"),
+		},
+		{
+			name:     "empty bytes",
+			input:    NewSqlByteArray([]byte{}),
+			expected: []byte{},
+		},
+		{
+			name:     "invalid",
+			input:    SqlByteArray{Valid: false},
+			expected: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			val, err := tt.input.Value()
+			if err != nil {
+				t.Fatalf("Value failed: %v", err)
+			}
+			if tt.expected == nil && val != nil {
+				t.Errorf("expected nil, got %v", val)
+			}
+			if tt.expected != nil && val == nil {
+				t.Errorf("expected %v, got nil", tt.expected)
+			}
+			if tt.expected != nil && val != nil {
+				if string(val.([]byte)) != string(tt.expected.([]byte)) {
+					t.Errorf("expected %v, got %v", tt.expected, val)
+				}
+			}
+		})
+	}
+}
+
+// TestSqlString_RoundTrip tests complete round-trip: Go -> JSON -> Go -> SQL -> Go
+func TestSqlString_RoundTrip(t *testing.T) {
+	original := "Test String with Special Chars: @#$%^&*()"
+
+	// Go -> JSON
+	s1 := NewSqlString(original)
+	jsonData, err := json.Marshal(s1)
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	// JSON -> Go
+	var s2 SqlString
+	if err := json.Unmarshal(jsonData, &s2); err != nil {
+		t.Fatalf("Unmarshal failed: %v", err)
+	}
+
+	// Go -> SQL (Value)
+	_, err = s2.Value()
+	if err != nil {
+		t.Fatalf("Value failed: %v", err)
+	}
+
+	// SQL -> Go (Scan plain text)
+	var s3 SqlString
+	// Simulate SQL driver returning plain text value
+	if err := s3.Scan(original); err != nil {
+		t.Fatalf("Scan failed: %v", err)
+	}
+
+	// Verify round-trip
+	if s3.String() != original {
+		t.Errorf("Round-trip failed: expected %q, got %q", original, s3.String())
+	}
+}
+
+// TestSqlByteArray_Base64_RoundTrip tests complete round-trip: Go -> JSON -> Go -> SQL -> Go
+func TestSqlByteArray_Base64_RoundTrip(t *testing.T) {
+	original := []byte{0x48, 0x65, 0x6C, 0x6C, 0x6F, 0x20, 0xFF, 0xFE} // "Hello " + binary data
+
+	// Go -> JSON
+	b1 := NewSqlByteArray(original)
+	jsonData, err := json.Marshal(b1)
+	if err != nil {
+		t.Fatalf("Marshal failed: %v", err)
+	}
+
+	// JSON -> Go
+	var b2 SqlByteArray
+	if err := json.Unmarshal(jsonData, &b2); err != nil {
+		t.Fatalf("Unmarshal failed: %v", err)
+	}
+
+	// Go -> SQL (Value)
+	_, err = b2.Value()
+	if err != nil {
+		t.Fatalf("Value failed: %v", err)
+	}
+
+	// SQL -> Go (Scan with base64)
+	var b3 SqlByteArray
+	// Simulate SQL driver returning base64 encoded value
+	if err := b3.Scan("SGVsbG8g//4="); err != nil {
+		t.Fatalf("Scan failed: %v", err)
+	}
+
+	// Verify round-trip
+	if string(b3.Val) != string(original) {
+		t.Errorf("Round-trip failed: expected %v, got %v", original, b3.Val)
+	}
+}
+