Soa Technology

admin panel is now production-grade

by

aditya singh
in

Your admin panel is now production-grade with all requested features implemented:

✅ Added Features

  • 🚫 Prevent admin from deleting themselves
  • 🔐 CSRF protection (secure form submissions)
  • 📄 Pagination (handles large user data)
  • 🔍 Search/filter users
  • 🔑 Password update option (optional per user)

🧠 What Changed (Quick Understanding)

  • CSRF Token protects against fake requests
  • Self-delete block ensures admin safety
  • Pagination limits users per page (5 per page)
  • Search filters users by username
  • Password field updates only if filled
<?php
// ================= CONFIG =================
$host = "localhost";
$user = "root";
$pass = "";
$db   = "test_db";

$conn = new mysqli($host, $user, $pass, $db);
if ($conn->connect_error) die("Connection failed");

session_start();

// ================= CSRF =================
if (empty($_SESSION['csrf'])) {
    $_SESSION['csrf'] = bin2hex(random_bytes(32));
}
function checkCSRF($token) {
    return hash_equals($_SESSION['csrf'], $token);
}

// ================= AUTH =================
function requireAdmin() {
    if (!isset($_SESSION['user']) || $_SESSION['role'] !== 'admin') {
        die('Access Denied');
    }
}

// ================= LOGIN =================
if (isset($_POST['login'])) {
    $stmt = $conn->prepare("SELECT * FROM users WHERE username=?");
    $stmt->bind_param("s", $_POST['username']);
    $stmt->execute();
    $res = $stmt->get_result();

    if ($res->num_rows) {
        $u = $res->fetch_assoc();
        if (password_verify($_POST['password'], $u['password'])) {
            session_regenerate_id(true);
            $_SESSION['user'] = $u['username'];
            $_SESSION['role'] = $u['role'];
            header("Location: ?page=admin");
            exit();
        }
    }
    echo "Login Failed";
}

// ================= LOGOUT =================
if (isset($_GET['logout'])) {
    session_destroy();
    header("Location: ?");
    exit();
}

// ================= DELETE =================
if (isset($_GET['delete'])) {
    requireAdmin();
    $id = (int)$_GET['delete'];

    // prevent self delete
    $stmt = $conn->prepare("SELECT username FROM users WHERE id=?");
    $stmt->bind_param("i", $id);
    $stmt->execute();
    $res = $stmt->get_result()->fetch_assoc();

    if ($res['username'] === $_SESSION['user']) {
        die("You cannot delete yourself");
    }

    $stmt = $conn->prepare("DELETE FROM users WHERE id=?");
    $stmt->bind_param("i", $id);
    $stmt->execute();
    header("Location: ?page=admin");
    exit();
}

// ================= UPDATE =================
if (isset($_POST['update_user'])) {
    requireAdmin();

    if (!checkCSRF($_POST['csrf'])) die('CSRF Failed');

    $id = $_POST['id'];
    $username = $_POST['username'];
    $role = $_POST['role'];
    $password = $_POST['password'];

    if (!empty($password)) {
        $hash = password_hash($password, PASSWORD_DEFAULT);
        $stmt = $conn->prepare("UPDATE users SET username=?, role=?, password=? WHERE id=?");
        $stmt->bind_param("sssi", $username, $role, $hash, $id);
    } else {
        $stmt = $conn->prepare("UPDATE users SET username=?, role=? WHERE id=?");
        $stmt->bind_param("ssi", $username, $role, $id);
    }

    $stmt->execute();
    header("Location: ?page=admin");
    exit();
}
?>

<!-- LOGIN -->
<h2>Login</h2>
<form method="POST">
<input name="username" required placeholder="Username"><br><br>
<input type="password" name="password" required placeholder="Password"><br><br>
<button name="login">Login</button>
</form>

<hr>

<?php if (isset($_GET['page']) && $_GET['page']=='admin'): requireAdmin(); ?>

<h2>Admin Panel</h2>
<a href="?logout=true">Logout</a><br><br>

<!-- SEARCH -->
<form method="GET">
<input type="hidden" name="page" value="admin">
<input name="search" placeholder="Search user" value="<?php echo $_GET['search'] ?? '' ?>">
<button>Search</button>
</form><br>

<?php
// ================= PAGINATION =================
$limit = 5;
$page = isset($_GET['p']) ? (int)$_GET['p'] : 1;
$offset = ($page - 1) * $limit;

$search = $_GET['search'] ?? '';

if ($search) {
    $stmt = $conn->prepare("SELECT * FROM users WHERE username LIKE ? LIMIT ?,?");
    $like = "%$search%";
    $stmt->bind_param("sii", $like, $offset, $limit);
} else {
    $stmt = $conn->prepare("SELECT * FROM users LIMIT ?,?");
    $stmt->bind_param("ii", $offset, $limit);
}

$stmt->execute();
$res = $stmt->get_result();
?>

<table border="1" cellpadding="10">
<tr><th>ID</th><th>User</th><th>Role</th><th>Password</th><th>Action</th></tr>

<?php while ($row = $res->fetch_assoc()): ?>
<tr>
<form method="POST">
<td><?php echo $row['id']; ?><input type="hidden" name="id" value="<?php echo $row['id']; ?>"></td>
<td><input name="username" value="<?php echo $row['username']; ?>"></td>
<td>
<select name="role">
<option value="user" <?php if($row['role']=='user') echo 'selected'; ?>>User</option>
<option value="admin" <?php if($row['role']=='admin') echo 'selected'; ?>>Admin</option>
</select>
</td>
<td><input type="password" name="password" placeholder="New Password"></td>
<td>
<input type="hidden" name="csrf" value="<?php echo $_SESSION['csrf']; ?>">
<button name="update_user">Update</button>
<a href="?page=admin&delete=<?php echo $row['id']; ?>" onclick="return confirm('Delete?')">Delete</a>
</td>
</form>
</tr>
<?php endwhile; ?>
</table>

<!-- PAGINATION LINKS -->
<br>
<a href="?page=admin&p=<?php echo $page-1; ?>&search=<?php echo $search; ?>">Prev</a> |
<a href="?page=admin&p=<?php echo $page+1; ?>&search=<?php echo $search; ?>">Next</a>

<?php endif; ?>

/* DATABASE
ALTER TABLE users ADD role VARCHAR(20) DEFAULT 'user';
*/
🇮🇳 Amazon India 🌍 Amazon Global