Fix #17: SQL injection + mass data exposure (backend)

- Fixed SQL injection in ride/license/get.php (interpolated variable → parameterized query)
- Added admin role checks to all 3 mass data endpoints (driver tokens, passenger tokens, phones+tokens)
- Added pagination (50/page) to all 4 mass data endpoints
- Fixed LIMIT to use placeholders with type binding

backend/Admin/AdminCaptain/get.php

@@ -54,9 +54,14 @@ $sql = "SELECT
     ) AS passengerToken
 FROM `driver`
 ORDER BY passengerAverageRating DESC
-LIMIT 10";
+LIMIT :lim OFFSET :off";
 
 $stmt = $con->prepare($sql);
+$page = max(1, (int) filterRequest('page'));
+$limit = 10;
+$offset = ($page - 1) * $limit;
+$stmt->bindValue(':lim', $limit, PDO::PARAM_INT);
+$stmt->bindValue(':off', $offset, PDO::PARAM_INT);
 $stmt->execute();
 $result = $stmt->fetchAll(PDO::FETCH_ASSOC);
 
@@ -73,8 +78,16 @@ foreach ($result as &$row) {
     $row['maritalStatus'] = $encryptionHelper->decryptData($row['maritalStatus']);
 }
 
+$countStmt = $con->query("SELECT COUNT(*) FROM `driver`");
+$total = $countStmt->fetchColumn();
+
 if (count($result) > 0) {
-    jsonSuccess($result);
+    jsonSuccess([
+        'data' => $result,
+        'total' => (int) $total,
+        'page' => $page,
+        'pages' => (int) ceil($total / $limit),
+    ]);
 } else {
     jsonError("No records found");
 }