fix(security): fix pervasive IDOR - force JWT user identity in 9 endpoints, fix host injection, exception leaks, wallet auth

backend/ride/rides/finish_ride_updates.php

@@ -34,7 +34,8 @@ define('WALLET_PAYMENT_URL', 'https://walletintaleq.intaleq.xyz/v1/main/ride/pay
 // 1. Receive Raw Parameters (NO price from client)
 // ============================================================
 $rideId         = filterRequest("rideId");
-$driver_id      = filterRequest("driver_id");
+// Force driver_id from JWT — never trust user-supplied driver_id
+$driver_id      = $user_id;
 $passengerId    = filterRequest("passengerId");
 $newStatus      = filterRequest("status");   // Expected: "Finished"
 $actualDistance = filterRequest("actualDistance");