Is this a Secure PHP Administration Page?

Im doing a game and i created an "administration" panel for it. it works like this:

admin.php
admin/code1.php
admin/code2.php

admin.php:

<?php
include("lib.php");
$player = check_user($secret_key, $db);
if($player->rank != "Administrador")
{
header("Location: personagem.php");
exit;
}
include("templates/private_header.php");
head("Admin Panel","adminpanel.png");
startbox();
if(isset($_GET['page']))
{
include("admin/" . $_GET['page'] . ".php");
}
else
{
?>
<A href="admin.php?page=code1">Kill Players</a><br>
<A href="admin.php?page=code2">Heal Players</a><br>

<?php
}
endbox();
include("templates/footer.php");
?>

i want to know if im prone to hacking. the code1.php and code2.php uses a custom query library that is included in lib.php so there is no way to execute them directly without falling in to an error.

Also in My template i have:

if($player->rank == "Administrador")
{
echo "<a href='admin.php'>Admin Panel</a>";
}
开发者_JAVA百科

so i can access the panel more quickly.There is risk in there too?

Just note that $player is a object created from a query to the player Database that represents the actual player. In my thoughts the only way to hack this is changing they "rank" status in the table to "Administrador" am i right? or there is something i let pass? Thanks in advance

include("admin/" . $_GET['page'] . ".php");

This is a huge security hole.

Something like blah.php?page=../../../../etc/passwd%00 would include /etc/password and of course you can also do this with other files - maybe even some files uploaded by the user that contain PHP code (could be even an image as long as it contains <?php [code] somewhere)

And even if only you are administrator, not closing holes like that would not be wise - you might have other administrators at some point.

Never trust user input

Never work with any of $_GET $_POST, $_COOKIE without verifying them first (or anything else user-generated for that matter, even stuff from your own database might be dangerous).

include("admin/" . $_GET['page'] . ".php");

Don't do this. otherwise you can include any file you want. I suggest you whitelist all allowed pages to be included like so:

$allowed = array("admin_index", "page1", "page2");
if(in_array($_GET['page'], $allowed)){
    include("admin/" . $_GET['page'] . ".php");
}
else{
    // perform error handling
}

Here's a useful function that you could take a look at, if you don't want to whitelist all pages: basename() - this will always only return the filename part, without any directory-changing part.

Furthermore, I do not recommend you work with includes like this at all, but rather have some Controller-hierarchy that can decide what to do on each request.

What about the authentication?

Show us your code for the authentication. That's a crucial part of your system that needs to be secure.