fix(security): wallet balance check with FOR UPDATE, remove user-supplied ID in signup, hardcoded IP to env

backend/functions.php

@@ -44,8 +44,7 @@ function isAllowedSocketUrl(string $url): bool {
 }
 
 function sendToLocationServer($action, $data) {
-    // رابط سيرفر اللوكيشن الداخلي أو العام
-    $url = "http://188.68.36.205:2021";
+    $url = getenv('LOCATION_SERVER_URL') ?: 'http://188.68.36.205:2021';
     if (!isAllowedSocketUrl($url)) {
         error_log("[SSRF_BLOCKED] Attempted connection to: $url");
         return;