Update: 2026-06-21 02:07:00

backend/ride/rides/acceptRide.php

@@ -21,12 +21,22 @@ $rideId = filterRequest("id");
 $driverId = $user_id;
 $status = filterRequest("status");       // القيمة التي يرسلها التطبيق: 'accepted'
 $passengerToken = filterRequest("passengerToken");
+$passengerFingerprint = filterRequest("passengerFingerprint");
+$passengerIdValue = filterRequest("passenger_id");
 
 if (empty($rideId) || empty($driverId)) {
     printFailure("Missing required parameters");
     exit;
 }
 
+// Self-ride validation
+$driverFingerprint = isset($_SERVER['HTTP_X_DEVICE_FP']) ? $_SERVER['HTTP_X_DEVICE_FP'] : '';
+if (!empty($driverFingerprint) && $driverFingerprint === $passengerFingerprint) {
+    error_log("[accept_ride] Self-ride attempt blocked. DriverID=$driverId, Fingerprint=$driverFingerprint");
+    printFailure("Self-matching is not allowed");
+    exit;
+}
+
 // status whitelist — لا نقبل قيمة عشوائية من التطبيق
 $allowedStatuses = ['accepted', 'Apply'];
 if (!in_array($status, $allowedStatuses, true)) {
@@ -158,9 +168,11 @@ try {
     // ═══════════════════════════════════════════════════════════
     // STEP E — جلب passenger_id وإرسال الإشعارات
     // ═══════════════════════════════════════════════════════════
-    $passengerId = $con->prepare("SELECT passenger_id FROM ride WHERE id = ? LIMIT 1");
-    $passengerId->execute([$rideId]);
-    $passengerIdValue = $passengerId->fetchColumn();
+    if (empty($passengerIdValue)) {
+        $passengerId = $con->prepare("SELECT passenger_id FROM ride WHERE id = ? LIMIT 1");
+        $passengerId->execute([$rideId]);
+        $passengerIdValue = $passengerId->fetchColumn();
+    }
 
     if ($passengerIdValue) {
         // Socket — real-time update على خريطة الراكب