fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

backend/ride/rate/add.php

@@ -1,7 +1,12 @@
 <?php
 require_once __DIR__ . '/../../connect.php';
 
-$passenger_id = filterRequest("passenger_id");
+// Force passenger_id from JWT — never trust user-supplied passenger_id
+if ($role !== 'passenger') {
+    jsonError("Only passengers can submit ratings");
+    exit;
+}
+$passenger_id = $user_id;
 $driverID = filterRequest("driverID");
 $rideId = filterRequest("rideId");
 $rating = filterRequest("rating");