fix(security): fix SQL injection in updatePaymetToPaid, OTP random_int, static IV encryption, storage mismatch

backend/auth/token_passenger/driver/send_otp_driver.php

@@ -3,7 +3,7 @@
 require_once __DIR__ . '/../../../connect.php';
 
 /* 1) توليد رمز التحقق (3 خانات) --------------------------------------------------- */
-$otp      = (string)rand(100, 999);
+$otp      = (string)random_int(100, 999);
 $receiver = filterRequest("receiver");
 
 if (empty($receiver)) {
@@ -69,6 +69,11 @@ if ($sentOK) {
         ");
         $stmt->execute([$receiver_enc, $otp_enc, $exp, $now]);
 
+        // Also save to Redis for verify_otp compatibility
+        if ($redis) {
+            $redis->setex("otp:driver:$receiver", 300, $otp);
+        }
+
         jsonSuccess(null, 'OTP sent and saved successfully');
 
     } catch (PDOException $e) {
@@ -76,12 +81,6 @@ if ($sentOK) {
     }
 
 } else {
-    $errMsg = $decoded['message'] ?? 'Unknown error';
-    jsonError('Failed to send OTP: ' . $errMsg);
+    jsonError('Failed to send OTP');
 }
-
-/* -----------------------------------------------------------------------
- * أبقينا callAPI() فقط إذا كان يُستخدم في ملفات أخرى – احذفه إن شئت.
- * --------------------------------------------------------------------- */
-function callAPI($method, $url, $data) { /* … */ }
 ?>