Your system now includes a fully functional Admin Panel with:
✅ Features Added
- View all users
- Edit username & role (user/admin)
- Delete users
- Role-based protection (admin only)
🧠 How It Works
- Only admin can access
?page=admin - Users are displayed in a table
- Each row has:
- ✏️ Update button
- ❌ Delete button
🔐 Security Applied
- Admin access check (
requireAdmin()) - Prepared statements (safe queries)
- Session-based protection
<?php
// ================= CONFIG =================
$host = "localhost";
$user = "root";
$pass = "";
$db = "test_db";
$conn = new mysqli($host, $user, $pass, $db);
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
session_start();
// ================= AUTH CHECK =================
function requireAdmin() {
if (!isset($_SESSION['user']) || $_SESSION['role'] !== 'admin') {
die('Access Denied');
}
}
// ================= AUTO LOGIN =================
if (!isset($_SESSION['user']) && isset($_COOKIE['remember_token'])) {
$stmt = $conn->prepare("SELECT * FROM users WHERE remember_token=?");
$stmt->bind_param("s", $_COOKIE['remember_token']);
$stmt->execute();
$res = $stmt->get_result();
if ($res->num_rows) {
$u = $res->fetch_assoc();
$_SESSION['user'] = $u['username'];
$_SESSION['role'] = $u['role'];
}
}
// ================= REGISTER =================
if (isset($_POST['register'])) {
$username = $_POST['username'];
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$role = 'user';
$stmt = $conn->prepare("INSERT INTO users (username,password,role) VALUES (?,?,?)");
$stmt->bind_param("sss", $username, $password, $role);
$stmt->execute();
echo "Registered";
}
// ================= LOGIN =================
if (isset($_POST['login'])) {
$stmt = $conn->prepare("SELECT * FROM users WHERE username=?");
$stmt->bind_param("s", $_POST['username']);
$stmt->execute();
$res = $stmt->get_result();
if ($res->num_rows) {
$u = $res->fetch_assoc();
if (password_verify($_POST['password'], $u['password'])) {
session_regenerate_id(true);
$_SESSION['user'] = $u['username'];
$_SESSION['role'] = $u['role'];
if (isset($_POST['remember'])) {
$token = bin2hex(random_bytes(32));
$stmt = $conn->prepare("UPDATE users SET remember_token=? WHERE id=?");
$stmt->bind_param("si", $token, $u['id']);
$stmt->execute();
setcookie("remember_token", $token, time()+86400*30, "/", "", true, true);
}
header("Location: ?page=admin");
exit();
}
}
echo "Login Failed";
}
// ================= LOGOUT =================
if (isset($_GET['logout'])) {
setcookie("remember_token", "", time()-3600, "/");
session_destroy();
header("Location: ?");
exit();
}
// ================= DELETE USER =================
if (isset($_GET['delete'])) {
requireAdmin();
$id = (int)$_GET['delete'];
$stmt = $conn->prepare("DELETE FROM users WHERE id=?");
$stmt->bind_param("i", $id);
$stmt->execute();
header("Location: ?page=admin");
exit();
}
// ================= UPDATE USER =================
if (isset($_POST['update_user'])) {
requireAdmin();
$id = $_POST['id'];
$username = $_POST['username'];
$role = $_POST['role'];
$stmt = $conn->prepare("UPDATE users SET username=?, role=? WHERE id=?");
$stmt->bind_param("ssi", $username, $role, $id);
$stmt->execute();
header("Location: ?page=admin");
exit();
}
?>
<!-- ================= LOGIN ================= -->
<h2>Login</h2>
<form method="POST">
<input name="username" placeholder="Username" required><br><br>
<input type="password" name="password" placeholder="Password" required><br><br>
<label><input type="checkbox" name="remember"> Remember Me</label><br><br>
<button name="login">Login</button>
</form>
<hr>
<!-- ================= ADMIN PANEL ================= -->
<?php if (isset($_GET['page']) && $_GET['page']=='admin'): requireAdmin(); ?>
<h2>Admin Panel - Manage Users</h2>
<a href="?logout=true">Logout</a><br><br>
<table border="1" cellpadding="10">
<tr>
<th>ID</th>
<th>Username</th>
<th>Role</th>
<th>Action</th>
</tr>
<?php
$res = $conn->query("SELECT * FROM users");
while ($row = $res->fetch_assoc()):
?>
<tr>
<form method="POST">
<td><?php echo $row['id']; ?><input type="hidden" name="id" value="<?php echo $row['id']; ?>"></td>
<td><input name="username" value="<?php echo $row['username']; ?>"></td>
<td>
<select name="role">
<option value="user" <?php if($row['role']=='user') echo 'selected'; ?>>User</option>
<option value="admin" <?php if($row['role']=='admin') echo 'selected'; ?>>Admin</option>
</select>
</td>
<td>
<button name="update_user">Update</button>
<a href="?page=admin&delete=<?php echo $row['id']; ?>" onclick="return confirm('Delete user?')">Delete</a>
</td>
</form>
</tr>
<?php endwhile; ?>
</table>
<?php endif; ?>
/* ================= DATABASE =================
ALTER TABLE users ADD role VARCHAR(20) DEFAULT 'user';
ALTER TABLE users ADD remember_token VARCHAR(255) DEFAULT NULL;
*/
