Tutorial Membuat Secure Admin Panel PHP & MySQL: Sistem Login Multi User, Role Access & Proteksi Lengkap (Production Ready)
Pendahuluan
Membuat admin panel bukan hanya soal CRUD dan dashboard. Jika sistem tidak aman, maka seluruh database bisa bocor hanya karena satu celah kecil.
Dalam panduan lengkap ini, kita akan membangun Secure Admin Panel menggunakan PHP & MySQL dengan fitur:
- Login Multi User (Admin & User)
- Role Based Access Control
- Prepared Statement (Anti SQL Injection)
- Proteksi XSS
- CSRF Token Protection
- Rate Limit Login
- Session Protection
- Upload File Aman
- Dashboard Profesional
1. Struktur Folder Profesional
/admin-panel
│
├── config/
│ └── database.php
│
├── auth/
│ ├── login.php
│ ├── register.php
│ ├── logout.php
│
├── middleware/
│ └── auth.php
│
├── dashboard/
│ └── index.php
│
├── uploads/
│
└── index.php
2. Membuat Database
CREATE DATABASE secure_admin;
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(100) NOT NULL,
email VARCHAR(150) NOT NULL UNIQUE,
password VARCHAR(255) NOT NULL,
role ENUM('admin','user') DEFAULT 'user',
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
3. Koneksi Database (database.php)
<?php
$conn = new mysqli("localhost","root","","secure_admin");
if ($conn->connect_error) {
die("Connection failed");
}
?>
4. Sistem Register (Secure)
<?php
include "../config/database.php";
$username = htmlspecialchars($_POST['username']);
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
$password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$stmt = $conn->prepare("INSERT INTO users (username,email,password) VALUES (?,?,?)");
$stmt->bind_param("sss",$username,$email,$password);
$stmt->execute();
echo "Register berhasil";
?>
5. Login dengan Rate Limit
session_start();
include "../config/database.php";
if(!isset($_SESSION['login_attempt'])){
$_SESSION['login_attempt']=0;
}
if($_SESSION['login_attempt']>5){
die("Terlalu banyak percobaan login");
}
$email = $_POST['email'];
$password = $_POST['password'];
$stmt = $conn->prepare("SELECT * FROM users WHERE email=?");
$stmt->bind_param("s",$email);
$stmt->execute();
$result=$stmt->get_result();
$user=$result->fetch_assoc();
if($user && password_verify($password,$user['password'])){
session_regenerate_id(true);
$_SESSION['user']=$user['username'];
$_SESSION['role']=$user['role'];
header("Location: ../dashboard/index.php");
}else{
$_SESSION['login_attempt']++;
echo "Login gagal";
}
6. Middleware Role Protection
<?php
session_start();
if(!isset($_SESSION['user'])){
header("Location: ../auth/login.php");
exit;
}
if($_SESSION['role']!='admin'){
die("Akses ditolak");
}
?>
7. Dashboard Aman
<?php include "../middleware/auth.php"; ?>
<h2>Dashboard Admin</h2>
<p>Selamat datang, <?= htmlspecialchars($_SESSION['user']); ?></p>
<a href="../auth/logout.php">Logout</a>
8. CSRF Token Protection
$_SESSION['csrf_token']=bin2hex(random_bytes(32));
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token']; ?>">
if($_POST['csrf_token']!==$_SESSION['csrf_token']){
die("Invalid CSRF Token");
}
9. Upload File Aman
$allowed=['jpg','png','jpeg'];
$filename=$_FILES['file']['name'];
$ext=pathinfo($filename,PATHINFO_EXTENSION);
if(in_array($ext,$allowed)){
move_uploaded_file($_FILES['file']['tmp_name'],"../uploads/".$filename);
}else{
die("Format tidak diizinkan");
}
10. Proteksi Session
ini_set('session.cookie_httponly',1);
ini_set('session.cookie_secure',1);
11. Checklist Production
- ✔ Semua query prepared statement
- ✔ Password di-hash
- ✔ CSRF token aktif
- ✔ Session regenerate aktif
- ✔ Rate limit login
- ✔ HTTPS aktif
- ✔ Error tidak ditampilkan
- ✔ Permission folder aman
Penutup
Dengan sistem ini, kamu sudah memiliki Secure Admin Panel Production Ready yang bisa digunakan untuk project nyata.
Fondasi ini bisa dikembangkan menjadi:
- Sistem manajemen konten
- Website membership
- Aplikasi internal perusahaan
- Dashboard SaaS
Bangun kebiasaan secure coding sejak awal.