Hamza-Ayed
1b5d6eae44
Simplify APNs payload for iOS visible notifications and fetch latest token
2026-06-30 22:13:45 +03:00
Hamza-Ayed
d9dc124c3e
Fix region_name fallback based on countryCode to prevent Damascus appearing for Jordan
2026-06-30 22:00:13 +03:00
Hamza-Ayed
e7785c9b2d
Log FCM errors in debug_info when push notification fails
2026-06-30 21:59:00 +03:00
Hamza-Ayed
cf748dfd7c
Decrypt token before FCM push and fallback to SMS on push fail, also decrypt names in campaigns log
2026-06-30 21:52:15 +03:00
Hamza-Ayed
de06d1cd75
Add debug counts
2026-06-30 21:48:34 +03:00
Hamza-Ayed
bd13cbb905
Update targeting logic in trigger_campaign.php to fallback to parsing phone prefixes instead of relying solely on passenger_opening_locations
2026-06-30 21:30:28 +03:00
Hamza-Ayed
fdd09d8f35
Fix SQL group by and undefined function errors in admin APIs
2026-06-30 21:17:06 +03:00
Hamza-Ayed
1ae8acad7a
Update: 2026-06-30 21:12:26
2026-06-30 21:12:26 +03:00
Hamza-Ayed
9cc14864a3
Update: 2026-06-29 00:26:08
2026-06-29 00:26:08 +03:00
Hamza-Ayed
03f26ce825
Update: 2026-06-29 00:12:38
2026-06-29 00:12:39 +03:00
Hamza-Ayed
1ff132cd07
Update: 2026-06-26 17:59:47
2026-06-26 17:59:47 +03:00
Hamza-Ayed
25d3237113
Update: 2026-06-26 17:58:12
2026-06-26 17:58:12 +03:00
Hamza-Ayed
060d9b08ae
Update: 2026-06-26 17:42:07
2026-06-26 17:42:07 +03:00
Hamza-Ayed
953ef28ec7
Update: 2026-06-26 17:39:24
2026-06-26 17:39:24 +03:00
Hamza-Ayed
ae21389240
Update: 2026-06-26 17:36:57
2026-06-26 17:36:57 +03:00
Hamza-Ayed
9ded734e38
Update: 2026-06-26 17:29:23
2026-06-26 17:29:23 +03:00
Hamza-Ayed
a9e2ee1a58
Update: 2026-06-26 01:10:36
2026-06-26 01:10:36 +03:00
Hamza-Ayed
35e54ea433
Update: 2026-06-25 19:10:25
2026-06-25 19:10:25 +03:00
Hamza-Ayed
b00b6a4cde
Update: 2026-06-25 19:05:13
2026-06-25 19:05:13 +03:00
Hamza-Ayed
63eea81039
Update: 2026-06-25 19:04:05
2026-06-25 19:04:05 +03:00
Hamza-Ayed
b57fd1cecb
Update: 2026-06-25 18:59:57
2026-06-25 18:59:57 +03:00
Hamza-Ayed
f3bafeb9e1
Update: 2026-06-25 18:57:58
2026-06-25 18:57:58 +03:00
Hamza-Ayed
7368feed11
Update: 2026-06-25 18:56:57
2026-06-25 18:56:57 +03:00
Hamza-Ayed
4a6b6d52a3
Update: 2026-06-25 18:53:08
2026-06-25 18:53:08 +03:00
Hamza-Ayed
85ff15cabe
Update: 2026-06-25 18:41:32
2026-06-25 18:41:33 +03:00
Hamza-Ayed
9b61bd50c8
Update: 2026-06-25 18:39:01
2026-06-25 18:39:01 +03:00
Hamza-Ayed
efe26c95be
Update: 2026-06-22 00:31:28
2026-06-22 00:31:29 +03:00
Hamza-Ayed
e73be65a72
Update: 2026-06-21 18:58:05
2026-06-21 18:58:13 +03:00
Hamza-Ayed
50a5308f43
Fix #20 : DDL removal from register.php, CORS policy, secret leak
...
- Removed ALTER TABLE DDL statements from Admin/auth/register.php (belongs in migration scripts)
- Added validated CORS with configurable allowed origins via CORS_ALLOWED_ORIGINS env var
- Removed assignment in load_env.php (secrets no longer exposed in superglobal)
2026-06-17 07:51:01 +03:00
Hamza-Ayed
2d607d9e90
Fix #19 : Plaintext OTP hashing + hardcoded server paths
...
- Changed OTP storage in Admin/auth/login.php from plaintext to sha256 hash
- Updated Admin/auth/verify_login.php to hash user input before comparison
- Replaced hardcoded /home/siro-api/ paths with environment variables:
- ERROR_LOG_PATH, ENV_FILE_PATH, SECRET_KEY_PAY_PATH, SECRET_KEY_PATH
- Falls back to __DIR__-relative paths when env vars are unset
2026-06-17 07:49:46 +03:00
Hamza-Ayed
72eeb24cd7
Fix #18 : Exception leak remediation across 87 PHP files
...
- Replaced all client-facing $e->getMessage() with generic error messages
- Added error_log() with filename prefix to all catch blocks
- Covered jsonError(), echo, and json_encode() response patterns
- Also fixed 2 remaining display_errors=1 and add_invoice.php leak
- Script-assisted fix for 75 files, manual fix for 12 remaining edge cases
2026-06-17 07:48:31 +03:00
Hamza-Ayed
e51d266a0f
Fix #17 : SQL injection + mass data exposure (backend)
...
- Fixed SQL injection in ride/license/get.php (interpolated variable → parameterized query)
- Added admin role checks to all 3 mass data endpoints (driver tokens, passenger tokens, phones+tokens)
- Added pagination (50/page) to all 4 mass data endpoints
- Fixed LIMIT to use placeholders with type binding
2026-06-17 07:45:35 +03:00
Hamza-Ayed
4a9e6b22c5
fix(security): add role checks to 7 admin endpoints, fix undefined vars in admin_update_passenger, add input validation to send_whatsapp
2026-06-17 06:19:47 +03:00
Hamza-Ayed
9bbda24d4a
fix(security): add .gitignore, remove PEM keys and debug endpoints from tracking
2026-06-17 06:17:03 +03:00
Hamza-Ayed
b516fbc4ed
Update: 2026-06-16 17:47:17
2026-06-16 17:47:19 +03:00
Hamza-Ayed
fc58529b09
Update: 2026-06-16 01:17:28
2026-06-16 01:17:29 +03:00
Hamza-Ayed
04943e3d52
Update: 2026-06-15 19:39:21
2026-06-15 19:39:21 +03:00
Hamza-Ayed
2321b78244
Update: 2026-06-15 01:37:40
2026-06-15 01:37:41 +03:00
Hamza-Ayed
f021ba5a35
Update: 2026-06-14 22:10:07
2026-06-14 22:10:08 +03:00
Hamza-Ayed
f907212c57
Update: 2026-06-12 20:40:40
2026-06-12 20:40:40 +03:00
Hamza-Ayed
ef6b52d2e3
Update: 2026-06-12 01:23:54
2026-06-12 01:23:54 +03:00
Hamza-Ayed
c5170a88d2
Update: 2026-06-11 13:47:39
2026-06-11 13:47:40 +03:00
Hamza-Ayed
d8901e1a87
first commit
2026-06-09 08:40:31 +03:00