How to develop Projects Using PHP and Mysql
Part 3
After a user logs in,
they must be redirected to user_dashboard.php. If an admin logs in, they must
be redirected to admin_dashboard.php.
There are only these 5
files in this section:
1.
user_dashboard.php (user)
2.
admin_dashboard.php(admin)
3.
manage_users.php(admin)
4.
edit_user.php(admin)
5.
delete_user.php(admin)
1. user_dashboard.php
|
<?php session_start(); // Check if user is logged in if (!isset($_SESSION['user_id'])) { header("Location: login.php"); exit(); } // Retrieve user information $user_name = $_SESSION['user_name']; $user_email = $_SESSION['user_email']; ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport"
content="width=device-width, initial-scale=1.0"> <title>User Dashboard</title> <link rel="stylesheet"
href="../assets/css/style.css"> </head> <body> <?php include '../includes/navbar.php'; ?> <div class="container"> <h2>Welcome, <?php echo
htmlspecialchars($user_name); ?>!</h2> <p>Email: <?php echo
htmlspecialchars($user_email); ?></p> <p>This is your user dashboard. You can manage your
profile and perform other user-specific tasks.</p> <a href="logout.php">Logout</a> </div> <?php include '../includes/footer.php'; ?> </body>
</html> |
.png)
🔍 Code Explanation: user_dashboard.php
This PHP script serves as the User Dashboard after a
successful login. It displays the user’s name, email, and a logout
option while ensuring that only logged-in users can access it.
1️⃣ PHP Section (User Authentication & Data Retrieval)
session_start();
// Check if user is logged in
if (!isset($_SESSION['user_id'])) {
header("Location: login.php");
exit();
}
// Retrieve user information
$user_name = $_SESSION['user_name'];
$user_email = $_SESSION['user_email'];
✔ Explanation
1.
session_start();
o Starts the session to access stored user data.
2.
Check if
the user is logged in
o If $_SESSION['user_id'] is not set,
the user is redirected to login.php.
o This prevents unauthorized users from directly
accessing user_dashboard.php.
3.
Retrieve
user details
o $_SESSION['user_name']: Stores the logged-in
user's name.
o $_SESSION['user_email']: Stores the logged-in
user's email.
o These values are retrieved to display
personalized content on the dashboard.
2️⃣ HTML Structure (User Dashboard UI)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport"
content="width=device-width, initial-scale=1.0">
<title>User Dashboard</title>
<link rel="stylesheet"
href="../assets/css/style.css">
</head>
<body>
<?php include '../includes/navbar.php'; ?>
<div class="container">
<h2>Welcome, <?php echo
htmlspecialchars($user_name); ?>!</h2>
<p>Email: <?php echo
htmlspecialchars($user_email); ?></p>
<p>This is your user dashboard. You can manage
your profile and perform other user-specific tasks.</p>
<a
href="logout.php">Logout</a>
</div>
<?php include '../includes/footer.php'; ?>
</body>
</html>
✔ Explanation
1.
Basic HTML
setup
o <!DOCTYPE html>: Defines HTML5 document.
o <meta charset="UTF-8">:
Ensures proper character encoding.
o <meta name="viewport"
content="width=device-width, initial-scale=1.0">: Makes the page
responsive.
o <title>User Dashboard</title>:
Sets the page title.
o <link rel="stylesheet"
href="../assets/css/style.css">: Links an external CSS file for
styling.
2.
Including
Navigation (navbar.php)
<?php include '../includes/navbar.php'; ?>
o Adds a navigation bar from an
external file (navbar.php).
3.
Displaying
User Information
<h2>Welcome, <?php echo htmlspecialchars($user_name);
?>!</h2>
<p>Email: <?php echo htmlspecialchars($user_email);
?></p>
o The user’s name and email are
displayed dynamically using PHP.
o htmlspecialchars($user_name) ensures XSS protection,
preventing malicious HTML or script injection.
4.
Logout Link
<a href="logout.php">Logout</a>
o Clicking this redirects the user to
logout.php, where the session is destroyed.
5.
Including
Footer (footer.php)
<?php include '../includes/footer.php'; ?>
o Adds a footer section from an
external file (footer.php).
🚀 How This Code Works
1.
If the
user is logged in, their name and email are
displayed.
2.
If the
user is NOT logged in, they are redirected to login.php.
3.
Provides navigation, profile
details, and a logout option.
|
<?php session_start(); // Check if admin is logged in if (!isset($_SESSION['user_id']) || $_SESSION['user_role'] !== 'admin')
{ header("Location: login.php"); exit(); } // Retrieve admin information $admin_name = $_SESSION['user_name']; $admin_email = $_SESSION['user_email']; ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport"
content="width=device-width, initial-scale=1.0"> <title>Admin Dashboard</title> <link rel="stylesheet"
href="../assets/css/style.css"> </head> <body> <?php include '../includes/navbar.php'; ?> <div class="container"> <h2>Admin Dashboard</h2> <p>Welcome, <strong><?php echo
htmlspecialchars($admin_name); ?></strong>!</p> <p>Email: <?php echo
htmlspecialchars($admin_email); ?></p> <h3>Admin Controls</h3> <ul> <li><a
href="manage_users.php">Manage Users</a></li> <li><a
href="site_settings.php">Site Settings</a></li> <li><a
href="reports.php">View Reports</a></li> </ul> <a href="logout.php">Logout</a> </div> <?php include '../includes/footer.php'; ?> </body> </html>
|
Output:
.png)
🔍 Code Explanation: admin_dashboard.php
This PHP script restricts
access to admin users and provides an admin dashboard with links to
manage users, site settings, and reports.
1️⃣ PHP Section
(Admin Authentication & Data Retrieval)
session_start();
// Check if admin is logged in
if (!isset($_SESSION['user_id'])
|| $_SESSION['user_role'] !== 'admin') {
header("Location: login.php");
exit();
}
// Retrieve admin information
$admin_name = $_SESSION['user_name'];
$admin_email = $_SESSION['user_email'];
✔ Explanation
1.
session_start();
o Starts
a session to access stored admin user data.
2.
Check if the admin is logged in
if (!isset($_SESSION['user_id']) || $_SESSION['user_role'] !== 'admin') {
header("Location: login.php");
exit();
}
o Ensures
the user is logged in (isset($_SESSION['user_id'])).
o Checks
if the user's role is "admin" ($_SESSION['user_role'] !==
'admin').
o If
the user is NOT an admin, they are redirected to login.php and
prevented from accessing the page.
3.
Retrieve admin details
$admin_name = $_SESSION['user_name'];
$admin_email = $_SESSION['user_email'];
o Stores
the admin's name and email from session variables for display on the
dashboard.
2️⃣ HTML Structure
(Admin Dashboard UI)
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,
initial-scale=1.0">
<title>Admin Dashboard</title>
<link rel="stylesheet" href="../assets/css/style.css">
</head>
<body>
<?php include '../includes/navbar.php'; ?>
<div class="container">
<h2>Admin Dashboard</h2>
<p>Welcome, <strong><?php echo htmlspecialchars($admin_name); ?></strong>!</p>
<p>Email: <?php echo
htmlspecialchars($admin_email); ?></p>
<h3>Admin Controls</h3>
<ul>
<li><a href="manage_users.php">Manage
Users</a></li>
<li><a href="site_settings.php">Site
Settings</a></li>
<li><a href="reports.php">View
Reports</a></li>
</ul>
<a href="logout.php">Logout</a>
</div>
<?php include '../includes/footer.php'; ?>
</body>
</html>
✔ Explanation
1.
Basic HTML setup
o <!DOCTYPE
html>: Defines HTML5 document.
o <meta
charset="UTF-8">: Ensures correct text encoding.
o <meta
name="viewport" content="width=device-width,
initial-scale=1.0">: Makes the page responsive.
o <title>Admin
Dashboard</title>: Sets the page title.
o <link
rel="stylesheet" href="../assets/css/style.css">: Links
to an external CSS file for styling.
2.
Including Navigation (navbar.php)
<?php include '../includes/navbar.php'; ?>
o Adds
the navigation bar from an external file.
3.
Displaying Admin Information
<p>Welcome, <strong><?php echo htmlspecialchars($admin_name); ?></strong>!</p>
<p>Email: <?php echo
htmlspecialchars($admin_email); ?></p>
o Displays
the admin’s name and email dynamically.
o htmlspecialchars($admin_name)
prevents XSS attacks (cross-site scripting).
4.
Admin Controls (Dashboard Links)
<h3>Admin Controls</h3>
<ul>
<li><a href="manage_users.php">Manage
Users</a></li>
<li><a href="site_settings.php">Site
Settings</a></li>
<li><a href="reports.php">View
Reports</a></li>
</ul>
o Provides
links to admin-related actions:
§ manage_users.php
→ Manage registered users.
§ site_settings.php
→ Modify site settings.
§ reports.php
→ View system reports.
5.
Logout Button
<a href="logout.php">Logout</a>
o Clicking
logs the admin out and redirects them to login.php.
6.
Including Footer (footer.php)
<?php include '../includes/footer.php'; ?>
o Adds
the footer section from an external file.
🚀 How This Code Works
1.
Only admins can access this page.
2.
The admin’s name and email are
displayed.
3.
Admins can navigate to Manage Users,
Site Settings, and Reports.
4.
A logout button is provided.
3.manage_users.php
|
<?php session_start(); include '../database/db_config.php';
// Database connection file // Check if admin is logged in if (!isset($_SESSION['user_id'])
|| $_SESSION['user_role'] !== 'admin') { header("Location:
login.php"); exit(); }
// Fetch all users from
the database $query = "SELECT
id, name, email, role FROM users"; $result = mysqli_query($conn,
$query);
?>
<!DOCTYPE html> <html lang="en">
<head> <meta charset="UTF-8"> <meta name="viewport"
content="width=device-width, initial-scale=1.0"> <title>Manage
Users</title> <link rel="stylesheet"
href="../assets/css/style.css"> </head>
<body>
<?php include '../includes/navbar.php';
?>
<div class="container"> <h2>Manage
Users</h2>
<table
border="1">
<thead>
<tr>
<th>ID</th>
<th>Name</th>
<th>Email</th>
<th>Role</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
<?php while ($row = mysqli_fetch_assoc($result)) { ?>
<tr>
<td><?php echo $row['id'];
?></td>
<td><?php echo htmlspecialchars($row['name']);
?></td>
<td><?php echo htmlspecialchars($row['email']);
?></td>
<td><?php echo htmlspecialchars($row['role']);
?></td>
<td>
<a href="edit_user.php?id=<?php
echo $row['id']; ?>">Edit</a> |
<a href="delete_user.php?id=<?php
echo $row['id']; ?>" onclick="return confirm('Are you sure?')">Delete</a>
</td>
</tr>
<?php } ?>
</tbody> </table>
<a href="admin_dashboard.php">Back
to Dashboard</a> </div>
<?php include '../includes/footer.php';
?>
</body> </html>
<?php mysqli_close($conn); ?> |
Output:
.png)
📌 Explanation of manage_users.php
(Admin User Management Page)
This PHP script is used
by an admin to view, edit, and delete users from the database.
It ensures only admins can access the page and fetches all users
from the database.
✅ Step 1: Start Session & Connect to Database
session_start();
include '../database/db_config.php';
// Database connection file
- session_start();
→ Starts the session to track logged-in users.
- include
'../database/db_config.php'; → Includes the database connection file.
✅ Step 2: Restrict Access to Admins
if (!isset($_SESSION['user_id']) || $_SESSION['user_role'] !== 'admin') {
header("Location: login.php");
exit();
}
- $_SESSION['user_id']
→ Checks if a user is logged in.
- $_SESSION['user_role']
!== 'admin' → Ensures the user is an admin.
- If
the user is not logged in or not an admin, they are
redirected to login.php.
✅ Step 3: Fetch All Users from
Database
$query = "SELECT id, name, email, role FROM users";
$result = mysqli_query($conn,
$query);
- This
fetches all users (id, name, email, role) from the users table.
- The
result is stored in $result, which is used later to display users in a
table.
2️⃣ HTML Structure
Breakdown
✅ Step 4: Standard HTML Structure
<!DOCTYPE html>
<html lang="en">
<head>
<meta
charset="UTF-8">
<meta name="viewport" content="width=device-width,
initial-scale=1.0">
<title>Manage Users</title>
<link rel="stylesheet" href="../assets/css/style.css">
</head>
<body>
- Loads
a CSS file (style.css) for styling the page.
- Sets
up meta tags for character encoding &
responsive design.
✅ Step 5: Include Navigation Bar
<?php include '../includes/navbar.php'; ?>
- Includes
the navigation bar from an external file.
✅ Step 6: Display Users in a Table
<div class="container">
<h2>Manage Users</h2>
<table border="1">
<thead>
<tr>
<th>ID</th>
<th>Name</th>
<th>Email</th>
<th>Role</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
- Displays
a table to list all users.
- Table
columns: ID, Name, Email, Role, Actions.
✅ Step 7: Populate Table with Users
(Loop through Database Records)
<?php while ($row = mysqli_fetch_assoc($result)) { ?>
<tr>
<td><?php echo $row['id']; ?></td>
<td><?php echo htmlspecialchars($row['name']);
?></td>
<td><?php echo htmlspecialchars($row['email']);
?></td>
<td><?php echo htmlspecialchars($row['role']);
?></td>
<td>
<a href="edit_user.php?id=<?php
echo $row['id']; ?>">Edit</a> |
<a href="delete_user.php?id=<?php
echo $row['id']; ?>" onclick="return confirm('Are you
sure?')">Delete</a>
</td>
</tr>
<?php } ?>
- while
($row = mysqli_fetch_assoc($result)) → Loops
through all users.
- htmlspecialchars($row['name'])
→ Prevents XSS attacks.
- Edit
& Delete Options:
- Edit
→ edit_user.php?id=USER_ID
- Delete
→ delete_user.php?id=USER_ID (confirmation before deleting)
✅ Step 8: Back to Dashboard Button
<a href="admin_dashboard.php">Back to Dashboard</a>
- Takes
the admin back to the dashboard.
✅ Step 9: Include Footer & Close
HTML
<?php include '../includes/footer.php'; ?>
</body>
</html>
- Includes
a footer (footer.php).
- Closes
the HTML page.
3️⃣ PHP Code After
HTML (Close Database Connection)
<?php
mysqli_close($conn);
?>
- Closes
the database connection to free up
resources.
🛠 Security Measures
✅ Session Security: Ensures only logged-in
admins can access the page.
✅ SQL Injection
Prevention: Uses prepared statements in db_config.php (not shown
here).
✅ XSS Protection:
Uses htmlspecialchars() to prevent script injections.
✅ Delete Confirmation:
Prevents accidental deletion with confirm('Are you sure?').
🎯 Summary
- This
script allows the admin to manage users (view, edit,
delete).
- Only
admins can access this page.
- Data
is displayed securely using htmlspecialchars().
- Uses
session validation to prevent unauthorized access.
4.edit_user.php
|
<?php session_start(); include '../database/db_config.php'; // Database connection file // Check if admin is
logged in if (!isset($_SESSION['user_id'])
|| $_SESSION['user_role'] !== 'admin') { header("Location:
login.php"); exit(); }
// Get user ID from URL if (isset($_GET['id']))
{ $user_id
= $_GET['id']; $query = "SELECT
* FROM users WHERE id = $user_id"; $result =
mysqli_query($conn, $query); $user = mysqli_fetch_assoc($result); }
// Update user details if ($_SERVER["REQUEST_METHOD"]
== "POST") { $name = mysqli_real_escape_string($conn,
$_POST['name']); $email = mysqli_real_escape_string($conn,
$_POST['email']); $role = mysqli_real_escape_string($conn,
$_POST['role']);
$updateQuery
= "UPDATE users SET name='$name', email='$email', role='$role' WHERE id=$user_id"; if (mysqli_query($conn,
$updateQuery)) {
header("Location: manage_users.php");
exit(); } else {
echo "Error updating record: " . mysqli_error($conn); } }
?>
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport"
content="width=device-width, initial-scale=1.0"> <title>Edit
User</title> </head> <body> <h2>Edit
User</h2> <form method="post">
<label>Name:</label>
<input type="text" name="name" value="<?php
echo $user['name']; ?>" required>
<br>
<label>Email:</label>
<input type="email" name="email" value="<?php
echo $user['email']; ?>" required>
<br>
<label>Role:</label>
<select name="role">
<option value="user" <?php if ($user['role']
== 'user') echo 'selected'; ?>>User</option>
<option value="admin" <?php if ($user['role']
== 'admin') echo 'selected'; ?>>Admin</option>
</select>
<br>
<button type="submit">Update</button> </form>
<a href="manage_users.php">Back
to Users</a> </body> </html>
<?php mysqli_close($conn); ?> |
Output:
.png)
📌 Explanation of edit_user.php
(Admin User Editing Page)
This script allows an
admin to edit user details (name, email, role). It ensures only an admin
can access the page and update user information in the database.
✅ Step 1: Start Session & Connect to Database
session_start();
include '../database/db_config.php';
// Database connection file
- session_start();
→ Starts the session to track logged-in users.
- include
'../database/db_config.php'; → Connects to the database.
✅ Step 2: Restrict Access to Admins
if (!isset($_SESSION['user_id']) || $_SESSION['user_role'] !== 'admin') {
header("Location: login.php");
exit();
}
- Ensures
only admins can access this page.
- If
the user is not logged in or not an admin, they are
redirected to login.php.
✅ Step 3: Get User ID from URL
if (isset($_GET['id'])) {
$user_id = $_GET['id'];
$query = "SELECT * FROM users WHERE id
= $user_id";
$result = mysqli_query($conn, $query);
$user = mysqli_fetch_assoc($result);
}
- Retrieves
the user ID from the URL (edit_user.php?id=USER_ID).
- Runs
a SQL query to get user details from the users table.
- Stores
user details in $user (to pre-fill the form later).
⚠ Potential Security Risk
- Directly
embedding $user_id in SQL (id = $user_id) can lead to SQL injection!
- Safer
Alternative: Use prepared statements.
✅ Step 4: Process Form Submission
(Update User Details)
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = mysqli_real_escape_string($conn, $_POST['name']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$role = mysqli_real_escape_string($conn, $_POST['role']);
$updateQuery = "UPDATE users SET name='$name', email='$email', role='$role' WHERE id=$user_id";
if (mysqli_query($conn, $updateQuery)) {
header("Location:
manage_users.php");
exit();
} else {
echo "Error updating record:
" . mysqli_error($conn);
}
}
- When
the form is submitted, the script:
- Gets
new values (name, email, role) from the form.
- Sanitizes
input using mysqli_real_escape_string()
to prevent SQL injection.
- Runs
an UPDATE query to modify the user’s details.
- If
successful, redirects to manage_users.php (admin user list).
- If
an error occurs, it displays the error message.
⚠ Security Risk:
- Directly
inserting user input into SQL is unsafe.
- Safer
Approach: Use prepared statements.
2️⃣ HTML Form
Breakdown
✅ Step 5: Standard HTML Structure
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width,
initial-scale=1.0">
<title>Edit User</title>
</head>
<body>
- Sets
up the HTML document with a title "Edit
User".
✅ Step 6: Display Edit Form
<h2>Edit User</h2>
<form method="post">
<label>Name:</label>
<input type="text" name="name"
value="<?php echo $user['name']; ?>" required>
<br>
<label>Email:</label>
<input type="email" name="email"
value="<?php echo $user['email']; ?>" required>
<br>
<label>Role:</label>
<select name="role">
<option value="user" <?php
if ($user['role'] == 'user') echo 'selected'; ?>>User</option>
<option value="admin"
<?php if ($user['role'] == 'admin') echo 'selected'; ?>>Admin</option>
</select>
<br>
<button type="submit">Update</button>
</form>
How It Works:
- Prefills
input fields with current user data (name, email,
role).
- Dropdown
(<select>) for role:
- If
role == 'user', "User" is selected.
- If
role == 'admin', "Admin" is selected.
- Submit
button updates the user when clicked.
✅ Step 7: Back to User Management Page
<a href="manage_users.php">Back to Users</a>
- Redirects
the admin back to the user list.
3️⃣ PHP Code After
HTML (Close Database Connection)
<?php
mysqli_close($conn);
?>
- Closes
the database connection to free up
resources.
🛠 Security Concerns &
Best Practices
🚨 Current Issues:
1.
SQL Injection Risk
o $user_id
is directly used in SQL → unsafe.
o ✅ Solution: Use prepared
statements:
$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i",
$user_id);
$stmt->execute();
$result = $stmt->get_result();
$user = $result->fetch_assoc();
2.
No Validation for Email Format
o ✅ Solution: Use filter_var():
if (!filter_var($email,
FILTER_VALIDATE_EMAIL)) {
echo "Invalid email format";
exit();
}
3.
No CSRF Protection
o Anyone
can send a fake request to update user data.
o ✅ Solution: Use a CSRF
token.
🎯 Summary
✔ Allows admins to edit user details
(name, email, role).
✔ Restricts access to
admins only.
✔ Fetches user details
from the database and pre-fills the form.
✔ Updates user
information in the database when submitted.
✔ Redirects back to
the user management page after updating.
5.delete_user.php
|
<?php session_start(); include '../database/db_config.php';
// Database connection file
// Check if admin is
logged in if (!isset($_SESSION['user_id'])
|| $_SESSION['user_role'] !== 'admin') { header("Location:
login.php"); exit(); }
// Get user ID from URL
and delete the user if (isset($_GET['id']))
{ $user_id
= $_GET['id']; $query = "DELETE
FROM users WHERE id = $user_id";
if (mysqli_query($conn,
$query)) {
header("Location: manage_users.php");
exit(); } else {
echo "Error deleting record: " . mysqli_error($conn); } } mysqli_close($conn); ?> |
Output:
record deleted ...check from database or from manage_users.php page .
📌 Explanation of delete_user.php
(Admin Delete User Page)
This script deletes a
user from the database when an admin clicks the "Delete" button.
It ensures that only an admin can perform this action.
✅ Step 1: Start Session & Connect to Database
session_start();
include '../database/db_config.php';
// Database connection file
- session_start();
→ Starts a session to track the logged-in user.
- include
'../database/db_config.php'; → Connects to the database.
✅ Step 2: Restrict Access to Admins
if (!isset($_SESSION['user_id']) || $_SESSION['user_role'] !== 'admin') {
header("Location: login.php");
exit();
}
- Ensures
only admins can access this page.
- If
the user is not logged in or not an admin, they are
redirected to login.php.
✅ Step 3: Get User ID from URL &
Delete the User
if (isset($_GET['id'])) {
$user_id = $_GET['id'];
$query = "DELETE FROM users WHERE id =
$user_id";
if (mysqli_query($conn, $query)) {
header("Location:
manage_users.php");
exit();
} else {
echo "Error deleting record:
" . mysqli_error($conn);
}
}
📌 How It Works:
1.
Checks if id is passed in the URL
(delete_user.php?id=USER_ID).
2.
Retrieves the user ID
from $_GET['id'].
3.
Runs the DELETE query:
DELETE FROM users WHERE id = USER_ID;
4.
If successful,
redirects to manage_users.php (admin user list).
5.
If an error occurs,
it displays "Error deleting record: ...".
✅ Step 4: Close Database Connection
mysqli_close($conn);
- Closes
the database connection to free up server
resources.
2️⃣ Security Concerns
& Best Practices
🚨 Current Issues:
1.
🚨
SQL Injection Risk
o $user_id
is directly inserted in SQL (DELETE FROM users WHERE id = $user_id) → unsafe.
o ✅ Solution: Use prepared
statements:
$stmt = $conn->prepare("DELETE FROM users WHERE id = ?");
$stmt->bind_param("i",
$user_id);
$stmt->execute();
$stmt->close();
2.
🚨
No Confirmation Before Deletion
o A
user can accidentally delete another user.
o ✅ Solution: Use a JavaScript
confirmation before deletion:
<a href="delete_user.php?id=USER_ID" onclick="return confirm('Are you sure you want to delete this user?')">Delete</a>
3.
🚨
No Check for Self-Deletion
o An
admin can delete themselves, which might lock them out.
o ✅ Solution: Prevent
self-deletion:
if ($user_id == $_SESSION['user_id']) {
echo "You cannot delete
yourself!";
exit();
}
🎯 Summary
✔ Deletes a user from the database.
✔ Restricts access to
admins only.
✔ Redirects back to the
user list after deletion.
✔ Needs security
improvements (SQL injection, confirmation, self-deletion prevention).