Fix #17: SQL injection + mass data exposure (backend)

- Fixed SQL injection in ride/license/get.php (interpolated variable → parameterized query)
- Added admin role checks to all 3 mass data endpoints (driver tokens, passenger tokens, phones+tokens)
- Added pagination (50/page) to all 4 mass data endpoints
- Fixed LIMIT to use placeholders with type binding

backend/ride/firebase/getAllTokenPassengers.php

@@ -1,21 +1,37 @@
 <?php
 require_once __DIR__ . '/../../connect.php';
 
-$sql = "SELECT * FROM `tokens`";
+if ($role !== 'admin' && $role !== 'super_admin') {
+    http_response_code(403);
+    echo json_encode(['error' => 'Unauthorized: Admin access required']);
+    exit;
+}
+
+$page = max(1, (int) filterRequest('page'));
+$limit = 50;
+$offset = ($page - 1) * $limit;
+
+$sql = "SELECT * FROM `tokens` LIMIT :lim OFFSET :off";
 $stmt = $con->prepare($sql);
+$stmt->bindValue(':lim', $limit, PDO::PARAM_INT);
+$stmt->bindValue(':off', $offset, PDO::PARAM_INT);
 $stmt->execute();
 $data = $stmt->fetchAll(PDO::FETCH_ASSOC);
 
+$countStmt = $con->query("SELECT COUNT(*) FROM `tokens`");
+$total = $countStmt->fetchColumn();
+
 if ($data) {
-    // فك تشفير token فقط
     foreach ($data as &$item) {
         $item['token'] = $encryptionHelper->decryptData($item['token']);
-        // fingerPrint يبقى كما هو (مشفّر من التطبيق)
     }
 
     echo json_encode([
         'status' => 'success',
-        'data' => $data
+        'data' => $data,
+        'total' => (int) $total,
+        'page' => $page,
+        'pages' => (int) ceil($total / $limit),
     ]);
 } else {
     jsonError("No token records found");