diff --git a/backend/Admin/AdminCaptain/get.php b/backend/Admin/AdminCaptain/get.php
index 73c9b43..a955ecb 100644
--- a/backend/Admin/AdminCaptain/get.php
+++ b/backend/Admin/AdminCaptain/get.php
@@ -1,6 +1,12 @@
 <?php
 require_once __DIR__ . '/../../connect.php';
 
+if ($role !== 'admin' && $role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['error' => 'Unauthorized: Admin access required']);
+    exit;
+}
+
 $sql = "SELECT
     `driver`.`id`,
     `driver`.`phone`,
diff --git a/backend/Admin/errorApp.php b/backend/Admin/errorApp.php
index 04bbf05..bff60da 100644
--- a/backend/Admin/errorApp.php
+++ b/backend/Admin/errorApp.php
@@ -1,16 +1,22 @@
 <?php
 require_once __DIR__ . '/../connect.php';
 
-// استلام البيانات من الطلب
-$error = filterRequest("error");
-$userId = filterRequest("userId");
+// Allow any authenticated user to report errors, but validate input
+$error   = filterRequest("error");
+$userId  = filterRequest("userId");
 $userType = filterRequest("userType");
-$phone = filterRequest("phone");
-$device = filterRequest("device");
+$phone   = filterRequest("phone");
+$device  = filterRequest("device");
 $details = filterRequest("details");
 
-// تسجيل الخطأ في ملف logs/app.log للمتابعة السريعة
-$logMsg = "[$userType ID: $userId] Error: $error | Where: $device | Details: $details";
+// Sanitize log input to prevent log injection
+$safeError   = str_replace(["\r", "\n"], ' ', substr($error ?? '', 0, 500));
+$safeUserId  = str_replace(["\r", "\n"], ' ', substr($userId ?? '', 0, 50));
+$safeUserType = str_replace(["\r", "\n"], ' ', substr($userType ?? '', 0, 50));
+$safeDevice  = str_replace(["\r", "\n"], ' ', substr($device ?? '', 0, 200));
+$safeDetails = str_replace(["\r", "\n"], ' ', substr($details ?? '', 0, 1000));
+
+$logMsg = "[$safeUserType ID: $safeUserId] Error: $safeError | Where: $safeDevice | Details: $safeDetails";
 appLog($logMsg, "APP_ERROR");
 
 // جملة SQL لإدخال البيانات، مع إضافة الحقل الجديد
diff --git a/backend/Admin/passenger/admin_delete_and_blacklist_passenger.php b/backend/Admin/passenger/admin_delete_and_blacklist_passenger.php
index c895384..8159952 100644
--- a/backend/Admin/passenger/admin_delete_and_blacklist_passenger.php
+++ b/backend/Admin/passenger/admin_delete_and_blacklist_passenger.php
@@ -1,6 +1,12 @@
 <?php
 require_once __DIR__ . '/../../connect.php';
 
+if ($role !== 'admin' && $role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['error' => 'Unauthorized: Admin access required']);
+    exit;
+}
+
 function normalize_phone($s) { return preg_replace('/\D+/', '', (string)$s); }
 
 $id    = filterRequest("id");     // أو
diff --git a/backend/Admin/passenger/admin_update_passenger.php b/backend/Admin/passenger/admin_update_passenger.php
index 837d56d..425da62 100644
--- a/backend/Admin/passenger/admin_update_passenger.php
+++ b/backend/Admin/passenger/admin_update_passenger.php
@@ -1,7 +1,11 @@
 <?php
 require_once __DIR__ . '/../../connect.php';
 
-
+if ($role !== 'admin' && $role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['error' => 'Unauthorized: Admin access required']);
+    exit;
+}
 
 $id          = filterRequest("id");            // مفضّل
 
@@ -9,38 +13,41 @@ $first_name  = filterRequest("first_name");
 $last_name   = filterRequest("last_name");
 $new_phone   = filterRequest("phone");
 
-if (empty($id) ) { jsonError("Provide id or phone_lookup"); exit; }
+if (empty($id)) { jsonError("Passenger ID is required"); exit; }
 if ($first_name === null && $last_name === null && $new_phone === null) {
     jsonError("Nothing to update"); exit;
 }
 
 $sets   = [];
 $params = [];
- 	$new_phone  = $encryptionHelper->encryptData($new_phone);
-	$first_name  = $encryptionHelper->encryptData($first_name);
-	$last_name  = $encryptionHelper->encryptData($last_name);
 
-    $enc_norm = $encryptionHelper->encryptData($norm);
-if ($first_name !== null) { $sets[] = "first_name = :first_name"; $params['first_name'] = trim($first_name); }
-if ($last_name  !== null) { $sets[] = "last_name  = :last_name";  $params['last_name']  = trim($last_name);  }
-if ($new_phone  !== null) { 
-    $sets[] = "phone      = :phone";      
-    $params['phone'] = trim($new_phone);
+if ($first_name !== null) {
+    $encFirst = $encryptionHelper->encryptData($first_name);
+    $sets[] = "first_name = :first_name";
+    $params['first_name'] = trim($encFirst);
+}
+if ($last_name !== null) {
+    $encLast = $encryptionHelper->encryptData($last_name);
+    $sets[] = "last_name  = :last_name";
+    $params['last_name']  = trim($encLast);
+}
+if ($new_phone !== null) {
+    $encPhone = $encryptionHelper->encryptData($new_phone);
+    $sets[] = "phone = :phone";
+    $params['phone'] = trim($encPhone);
 
     // منع تكرار الهاتف على راكب آخر
     $q = $con->prepare("SELECT id FROM passengers WHERE phone = :ph LIMIT 1");
     $q->execute(['ph' => $params['phone']]);
     $row = $q->fetch(PDO::FETCH_ASSOC);
-    if ($row) {
-        if (!empty($id) && $row['id'] != $id) { jsonError("Phone already used by another passenger"); exit; }
-        if (empty($id) && $row['id'] != $phoneLookup) { jsonError("Phone already used by another passenger"); exit; }
+    if ($row && $row['id'] != $id) {
+        jsonError("Phone already used by another passenger");
+        exit;
     }
 }
 
-$whereSql    = "";
-$whereParams = [];
-if (!empty($id))       { $whereSql = "id = :pid";   $whereParams['pid']   = $id; }
-else                   { $whereSql = "phone = :plk"; $whereParams['plk']  = $phoneLookup; }
+$whereSql    = "id = :pid";
+$whereParams = ['pid' => $id];
 
 $sql = "UPDATE passengers SET ".implode(", ", $sets).", updated_at = CURRENT_TIMESTAMP WHERE $whereSql";
 $stmt = $con->prepare($sql);
diff --git a/backend/Admin/rides/admin_get_rides_by_phone.php b/backend/Admin/rides/admin_get_rides_by_phone.php
index df4af02..9014e67 100644
--- a/backend/Admin/rides/admin_get_rides_by_phone.php
+++ b/backend/Admin/rides/admin_get_rides_by_phone.php
@@ -1,6 +1,12 @@
 <?php
 require_once __DIR__ . '/../../connect.php';
 
+if ($role !== 'admin' && $role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['error' => 'Unauthorized: Admin access required']);
+    exit;
+}
+
 /**
  * تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
  */
diff --git a/backend/Admin/rides/monitorRide.php b/backend/Admin/rides/monitorRide.php
index b3adf4c..faf4955 100644
--- a/backend/Admin/rides/monitorRide.php
+++ b/backend/Admin/rides/monitorRide.php
@@ -1,6 +1,12 @@
 <?php
 require_once __DIR__ . '/../../connect.php';
 
+if ($role !== 'admin' && $role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['error' => 'Unauthorized: Admin access required']);
+    exit;
+}
+
 /**
  * تطبيع رقم الهاتف ليتوافق مع التخزين في قاعدة البيانات
  */
diff --git a/backend/Admin/send_whatsapp_message.php b/backend/Admin/send_whatsapp_message.php
index f2bf31f..00dfd66 100644
--- a/backend/Admin/send_whatsapp_message.php
+++ b/backend/Admin/send_whatsapp_message.php
@@ -2,7 +2,13 @@
 // File: send_whatsapp_message.php
 // هذا السكربت يرسل رسالة واتساب فقط باستخدام RaseelPlus API
 
-require_once __DIR__ . '/../connect.php'; // فقط إذا كنت تحتاج للوصول إلى environment
+require_once __DIR__ . '/../connect.php';
+
+if ($role !== 'admin' && $role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['error' => 'Unauthorized: Admin access required']);
+    exit;
+}
 
 error_log("--- [send_whatsapp_message.php] Script execution started ---");
 
@@ -16,6 +22,18 @@ if (empty($receiver) || empty($message)) {
     exit();
 }
 
+// Validate phone number format (basic international format)
+if (!preg_match('/^\+?[1-9]\d{6,14}$/', $receiver)) {
+    jsonError('Invalid phone number format.');
+    exit();
+}
+
+// Limit message length to prevent abuse
+if (strlen($message) > 4096) {
+    jsonError('Message too long. Maximum 4096 characters.');
+    exit();
+}
+
 // بيانات Raseel
 $instanceId   = getenv("RASEEL_DRIVER_INSTANCE_ID");
 $accessToken  = getenv("RASEEL_DRIVER_ACCESS_TOKEN");