From f75e456aac7566c7641858881d9afb853cd47431 Mon Sep 17 00:00:00 2001 From: Hamza-Ayed Date: Wed, 24 Jun 2026 16:27:41 +0300 Subject: [PATCH] Update: 2026-06-24 16:27:39 --- backend/auth/otp/verify.php | 166 +++++++++++++++++++++--------------- 1 file changed, 97 insertions(+), 69 deletions(-) diff --git a/backend/auth/otp/verify.php b/backend/auth/otp/verify.php index 5c77e51..ce20afb 100644 --- a/backend/auth/otp/verify.php +++ b/backend/auth/otp/verify.php @@ -57,27 +57,36 @@ try { } // 3. Encrypt data to query -$encryptedPhone = $encryptionHelper->encryptData($phone_number); -$encryptedToken = $encryptionHelper->encryptData($token_code); - // 4. Verify based on user type try { if ($user_type === 'admin') { $sql = "SELECT * FROM token_verification_admin - WHERE phone_number = :phone AND token = :token - AND expiration_time >= NOW() AND verified = 0"; + WHERE expiration_time >= NOW() AND verified = 0"; $stmt = $con->prepare($sql); - $stmt->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); - $stmt->bindParam(':token', $encryptedToken, PDO::PARAM_STR); $stmt->execute(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($stmt->rowCount() > 0) { + $matchedRow = null; + foreach ($rows as $row) { + $decryptedPhone = $encryptionHelper->decryptData($row['phone_number']); + $decryptedToken = $encryptionHelper->decryptData($row['token']); + if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) { + $matchedRow = $row; + break; + } + } + + if ($matchedRow) { $deviceNumber = filterRequest("device_number") ?? ''; // adminUser stores unencrypted phone $checkAdmin = $con->prepare("SELECT * FROM adminUser WHERE name = ?"); $checkAdmin->execute([$phone_number]); $now = date("Y-m-d H:i:s"); + // Mark token as verified + $updateToken = $con->prepare("UPDATE token_verification_admin SET verified = 1 WHERE phone_number = ? AND token = ?"); + $updateToken->execute([$matchedRow['phone_number'], $matchedRow['token']]); + if ($checkAdmin->rowCount() > 0) { $update = $con->prepare("UPDATE adminUser SET device_number = ?, updated_at = ? WHERE name = ?"); $update->execute([$deviceNumber, $now, $phone_number]); @@ -91,19 +100,26 @@ try { jsonError("Your phone number could not be verified or the code is expired. Please try again."); } } elseif ($user_type === 'service') { - $sql = "SELECT `id` FROM `phone_verification_service` - WHERE `phone_number` = :phone AND `token_code` = :token - AND `expiration_time` > NOW() AND `is_verified` = 0"; + $sql = "SELECT `id`, `phone_number`, `token_code` FROM `phone_verification_service` + WHERE `expiration_time` > NOW() AND `is_verified` = 0"; $stmt = $con->prepare($sql); - $stmt->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); - $stmt->bindParam(':token', $encryptedToken, PDO::PARAM_STR); $stmt->execute(); - $result = $stmt->fetch(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($result) { - $sqlUpdate = "UPDATE `phone_verification_service` SET `is_verified` = 1 WHERE `phone_number` = :phone"; + $matchedRowId = null; + foreach ($rows as $row) { + $decryptedPhone = $encryptionHelper->decryptData($row['phone_number']); + $decryptedToken = $encryptionHelper->decryptData($row['token_code']); + if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) { + $matchedRowId = $row['id']; + break; + } + } + + if ($matchedRowId) { + $sqlUpdate = "UPDATE `phone_verification_service` SET `is_verified` = 1 WHERE `id` = :id"; $stmtUpd = $con->prepare($sqlUpdate); - $stmtUpd->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); + $stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT); $stmtUpd->execute(); jsonSuccess(null, "Your phone number has been verified."); } else { @@ -111,47 +127,53 @@ try { } } elseif ($user_type === 'driver') { if ($context === 'token_change') { - $sql = "SELECT `id` FROM `token_verification_driver` - WHERE `phone_number` = :phone - AND `token` = :token - AND `expiration_time` > NOW() AND `verified` = 0"; - + $sql = "SELECT `id`, `phone_number`, `token` FROM `token_verification_driver` + WHERE `expiration_time` > NOW() AND `verified` = 0"; $stmt = $con->prepare($sql); - $stmt->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); - $stmt->bindParam(':token', $encryptedToken, PDO::PARAM_STR); $stmt->execute(); - $result = $stmt->fetch(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($result) { - // Update driver verified status - $sqlUpdate = "UPDATE `token_verification_driver` SET `verified` = 1 WHERE `phone_number` = :phone"; + $matchedRowId = null; + foreach ($rows as $row) { + $decryptedPhone = $encryptionHelper->decryptData($row['phone_number']); + $decryptedToken = $encryptionHelper->decryptData($row['token']); + if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) { + $matchedRowId = $row['id']; + break; + } + } + + if ($matchedRowId) { + $sqlUpdate = "UPDATE `token_verification_driver` SET `verified` = 1 WHERE `id` = :id"; $stmtUpd = $con->prepare($sqlUpdate); - $stmtUpd->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); + $stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT); $stmtUpd->execute(); - jsonSuccess(null, "Your phone number has been verified."); } else { jsonError("Your phone number could not be verified or the code is expired. Please try again."); } } else { - $sql = "SELECT `id` FROM `phone_verification` - WHERE `phone_number` = :phone - AND `token_code` = :token - AND `expiration_time` > NOW() AND `is_verified` = 0"; - + $sql = "SELECT `id`, `phone_number`, `token_code` FROM `phone_verification` + WHERE `expiration_time` > NOW() AND `is_verified` = 0"; $stmt = $con->prepare($sql); - $stmt->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); - $stmt->bindParam(':token', $encryptedToken, PDO::PARAM_STR); $stmt->execute(); - $result = $stmt->fetch(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($result) { - // Update driver is_verified status - $sqlUpdate = "UPDATE `phone_verification` SET `is_verified` = 1 WHERE `phone_number` = :phone"; + $matchedRowId = null; + foreach ($rows as $row) { + $decryptedPhone = $encryptionHelper->decryptData($row['phone_number']); + $decryptedToken = $encryptionHelper->decryptData($row['token_code']); + if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) { + $matchedRowId = $row['id']; + break; + } + } + + if ($matchedRowId) { + $sqlUpdate = "UPDATE `phone_verification` SET `is_verified` = 1 WHERE `id` = :id"; $stmtUpd = $con->prepare($sqlUpdate); - $stmtUpd->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); + $stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT); $stmtUpd->execute(); - jsonSuccess(null, "Your phone number has been verified."); } else { jsonError("Your phone number could not be verified or the code is expired. Please try again."); @@ -159,47 +181,53 @@ try { } } else { if ($context === 'token_change') { - $sql = "SELECT `id` FROM `token_verification` - WHERE `phone_number` = :phone - AND `token` = :token - AND `expiration_time` > NOW() AND `verified` = 0"; - + $sql = "SELECT `id`, `phone_number`, `token` FROM `token_verification` + WHERE `expiration_time` > NOW() AND `verified` = 0"; $stmt = $con->prepare($sql); - $stmt->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); - $stmt->bindParam(':token', $encryptedToken, PDO::PARAM_STR); $stmt->execute(); - $result = $stmt->fetch(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($result) { - // Update passenger verified status - $sqlUpdate = "UPDATE `token_verification` SET `verified` = 1 WHERE `phone_number` = :phone"; + $matchedRowId = null; + foreach ($rows as $row) { + $decryptedPhone = $encryptionHelper->decryptData($row['phone_number']); + $decryptedToken = $encryptionHelper->decryptData($row['token']); + if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) { + $matchedRowId = $row['id']; + break; + } + } + + if ($matchedRowId) { + $sqlUpdate = "UPDATE `token_verification` SET `verified` = 1 WHERE `id` = :id"; $stmtUpd = $con->prepare($sqlUpdate); - $stmtUpd->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); + $stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT); $stmtUpd->execute(); - jsonSuccess(null, "Your phone number has been verified."); } else { jsonError("Your phone number could not be verified or the code is expired. Please try again."); } } else { - $sql = "SELECT `id` FROM `phone_verification_passenger` - WHERE `phone_number` = :phone - AND `token` = :token - AND `expiration_time` > NOW() AND `verified` = 0"; - + $sql = "SELECT `id`, `phone_number`, `token` FROM `phone_verification_passenger` + WHERE `expiration_time` > NOW() AND `verified` = 0"; $stmt = $con->prepare($sql); - $stmt->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); - $stmt->bindParam(':token', $encryptedToken, PDO::PARAM_STR); $stmt->execute(); - $result = $stmt->fetch(); + $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); - if ($result) { - // Update passenger verified status - $sqlUpdate = "UPDATE `phone_verification_passenger` SET `verified` = 1 WHERE `phone_number` = :phone"; + $matchedRowId = null; + foreach ($rows as $row) { + $decryptedPhone = $encryptionHelper->decryptData($row['phone_number']); + $decryptedToken = $encryptionHelper->decryptData($row['token']); + if ($decryptedPhone === $phone_number && $decryptedToken === $token_code) { + $matchedRowId = $row['id']; + break; + } + } + + if ($matchedRowId) { + $sqlUpdate = "UPDATE `phone_verification_passenger` SET `verified` = 1 WHERE `id` = :id"; $stmtUpd = $con->prepare($sqlUpdate); - $stmtUpd->bindParam(':phone', $encryptedPhone, PDO::PARAM_STR); + $stmtUpd->bindParam(':id', $matchedRowId, PDO::PARAM_INT); $stmtUpd->execute(); - jsonSuccess(null, "Your phone number has been verified."); } else { jsonError("Your phone number could not be verified or the code is expired. Please try again.");