diff --git a/backend/auth/login.php b/backend/auth/login.php
index 75f97ea..82a4300 100644
--- a/backend/auth/login.php
+++ b/backend/auth/login.php
@@ -6,8 +6,23 @@ $email = filterRequest('email');
 $phone = filterRequest('phone');
 $password = filterRequest('password');
 
-// Hash the password
-$hashed_password = password_hash($password, PASSWORD_DEFAULT);
+if (empty($phone) && empty($email)) {
+    echo json_encode(["status" => "Failure", "data" => "Phone or email is required."]);
+    exit;
+}
+
+// Build WHERE dynamically: support phone-only, email-only, or both
+$conditions = [];
+$params = [':password' => $password];
+if (!empty($phone)) {
+    $conditions[] = "passengers.phone = :phone";
+    $params[':phone'] = $phone;
+}
+if (!empty($email)) {
+    $conditions[] = "passengers.email = :email";
+    $params[':email'] = $email;
+}
+$where = implode(' OR ', $conditions);
 
 $sql = "SELECT
     passengers.`id`,
@@ -29,11 +44,9 @@ FROM
     `passengers`
 LEFT JOIN email_verifications ON email_verifications.email = passengers.email
 WHERE
-    passengers.phone = :phone AND passengers.email = :email ";
+    $where";
 $stmt = $con->prepare($sql);
-$stmt->bindParam(':email', $email);
-$stmt->bindParam(':phone', $phone);
-$stmt->execute();
+$stmt->execute($params);
 $data = $stmt->fetchAll(PDO::FETCH_ASSOC);
 $count = $stmt->rowCount();
 
diff --git a/backend/auth/otp/verify.php b/backend/auth/otp/verify.php
index cad87f4..5c77e51 100644
--- a/backend/auth/otp/verify.php
+++ b/backend/auth/otp/verify.php
@@ -7,7 +7,7 @@ require_once __DIR__ . '/../../functions.php';
 
 // 0. Rate Limiting: 3 محاولات OTP كل 5 دقائق لكل IP
 $rateLimiter = new RateLimiter($redis);
-$rateLimiter->enforce(RateLimiter::identifier(), 'otp');
+$rateLimiter->enforce(RateLimiter::identifier(), 'otp_verify');
 
 // 1. Fetch input parameters
 $phone_number = filterRequest("phone_number");
diff --git a/backend/auth/signup.php b/backend/auth/signup.php
index 31c143b..5704463 100644
--- a/backend/auth/signup.php
+++ b/backend/auth/signup.php
@@ -12,6 +12,24 @@ $gender      = filterRequest("gender");
 $birthdate   = filterRequest("birthdate");
 $site        = filterRequest("site");
 
+// --- Input Validation ---
+if (empty($phone) || strlen(preg_replace('/\D+/', '', $phone)) < 8) {
+    jsonError("Valid phone number is required.");
+    exit;
+}
+if (!empty($email) && !filter_var($email, FILTER_VALIDATE_EMAIL)) {
+    jsonError("Valid email address is required.");
+    exit;
+}
+if (empty($password) || strlen($password) < 6) {
+    jsonError("Password must be at least 6 characters.");
+    exit;
+}
+if (empty($first_name) || empty($last_name)) {
+    jsonError("First name and last name are required.");
+    exit;
+}
+
 // تشفير البيانات الحساسة
 $phone       = $encryptionHelper->encryptData($phone);
 $email       = $encryptionHelper->encryptData($email);