Fix #22: Medium-severity fixes (M-01 through M-07)

M-01: Host header injection - replaced HTTP_HOST with APP_DOMAIN
M-02: Unauthenticated CRUD - ownership checks on carDrivers add/delete
M-03: MD5 tracking token - replaced md5() with hash_hmac sha256
M-04: Webhook SMS - absolute log path instead of relative
M-05: Weak 3-digit OTP - already noted as requirement (Fix #5)
M-06: Redis without auth - added password + prefix to cancel_ride_by_driver
M-07: SSRF bypass - str_ends_with -> strict equality in allowlist

backend/ride/carDrivers/delete.php

@@ -4,6 +4,23 @@ require_once __DIR__ . '/../../connect.php';
 // استقبال ID السجل
 $id = filterRequest("id");
 
+// التحقق من أن السجل يخص المستخدم الحالي أو هو أدمن
+$checkSql = "SELECT driverID FROM captains_car WHERE id = :id LIMIT 1";
+$checkStmt = $con->prepare($checkSql);
+$checkStmt->bindParam(':id', $id, PDO::PARAM_INT);
+$checkStmt->execute();
+$record = $checkStmt->fetch(PDO::FETCH_ASSOC);
+
+if (!$record) {
+    jsonError("Record not found");
+    exit;
+}
+
+if ($role !== 'admin' && $role !== 'super_admin' && (string)$user_id !== $record['driverID']) {
+    jsonError("Unauthorized: You can only delete your own car registrations");
+    exit;
+}
+
 // حذف السجل من جدول captains_car (أو CarRegistration لو هو الصحيح فعلاً)
 $sql = "DELETE FROM captains_car WHERE id = :id";
 $stmt = $con->prepare($sql);