diff --git a/app-code/account/manage_users.php b/app-code/account/manage_users.php
index 61f9e8e..8d0d455 100644
--- a/app-code/account/manage_users.php
+++ b/app-code/account/manage_users.php
@@ -21,26 +21,44 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_adm
 <body>
 <div class="container my-5">
     <div class="row justify-content-center">
-      <div class="col-md-8 col-lg-6">
+      <div class="col-md-10 col-lg-8">
         <div class="card shadow">
           <div class="card-body">
-            <div class="d-flex justify-content-between align-items-center mb-4">
+            <div class="d-flex justify-content-between align-items-center mb-3">
               <h4 class="card-title mb-0">User Management</h4>
               <a href="/account/" class="btn btn-outline-secondary btn-sm"><span class="material-icons" style="font-size: 18px; vertical-align: middle;">arrow_back</span> Back</a>
             </div>
-            <div class="table-responsive">
+            <div class="row g-2 mb-3">
+              <div class="col">
+                <input type="text" id="searchInput" class="form-control" placeholder="Search by username..." oninput="loadUsers()">
+              </div>
+              <div class="col-auto">
+                <select id="sortSelect" class="form-select" onchange="loadUsers()">
+                  <option value="id">ID</option>
+                  <option value="username">Username</option>
+                </select>
+              </div>
+              <div class="col-auto">
+                <select id="orderSelect" class="form-select" onchange="loadUsers()">
+                  <option value="ASC">Asc</option>
+                  <option value="DESC">Desc</option>
+                </select>
+              </div>
+            </div>
+            <div class="table-responsive" style="max-height: 60vh; overflow-y: auto;">
               <table class="table table-dark table-hover align-middle mb-0">
-                  <thead>
+                  <thead class="sticky-top" style="background: var(--bs-card-bg);">
                   <tr>
-                      <th>ID</th>
+                      <th style="width: 80px;">ID</th>
                       <th>Username</th>
-                      <th class="text-end">Actions</th>
+                      <th class="text-end" style="width: 100px;">Actions</th>
                   </tr>
                   </thead>
                   <tbody id="userTableBody">
                   </tbody>
               </table>
             </div>
+            <p id="loadingMessage" class="text-muted text-center mt-3 mb-0">Loading...</p>
             <p id="noUsersMessage" class="text-muted text-center mt-3 mb-0" style="display:none;">No users found.</p>
           </div>
         </div>
@@ -83,15 +101,25 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_adm
 
 <script>
     let pendingDeleteId = null;
+    let debounceTimer = null;
+
+    async function loadUsers() {
+        const search = document.getElementById('searchInput').value;
+        const sort = document.getElementById('sortSelect').value;
+        const order = document.getElementById('orderSelect').value;
+
+        document.getElementById('loadingMessage').style.display = 'block';
+        document.getElementById('noUsersMessage').style.display = 'none';
 
-    async function fetchUsers() {
         try {
-            const response = await fetch('/api/manage/fetch_users.php');
+            const response = await fetch(`/api/manage/fetch_users.php?search=${encodeURIComponent(search)}&sort=${sort}&order=${order}`);
             const data = await response.json();
 
             const userTableBody = document.getElementById('userTableBody');
             const noMsg = document.getElementById('noUsersMessage');
+            const loadingMsg = document.getElementById('loadingMessage');
             userTableBody.innerHTML = '';
+            loadingMsg.style.display = 'none';
 
             if (data.success && data.data.length > 0) {
                 noMsg.style.display = 'none';
@@ -99,9 +127,9 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_adm
                     const row = document.createElement('tr');
                     row.innerHTML = `
                         <td class="text-muted">${user.id}</td>
-                        <td>${user.username}</td>
+                        <td>${escapeHtml(user.username)}</td>
                         <td class="text-end">
-                            <button class="btn btn-outline-danger btn-sm" onclick="showDeleteConfirm(${user.id}, '${user.username.replace(/'/g, "\\'")}')">Delete</button>
+                            <button class="btn btn-outline-danger btn-sm" onclick="showDeleteConfirm(${user.id}, '${escapeHtml(user.username).replace(/'/g, "\\'")}')">Delete</button>
                         </td>
                     `;
                     userTableBody.appendChild(row);
@@ -111,9 +139,16 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_adm
             }
         } catch (error) {
             console.error('Error fetching users:', error);
+            document.getElementById('loadingMessage').textContent = 'Failed to load users.';
         }
     }
 
+    function escapeHtml(str) {
+        const div = document.createElement('div');
+        div.textContent = str;
+        return div.innerHTML;
+    }
+
     function showDeleteConfirm(userId, username) {
         pendingDeleteId = userId;
         document.getElementById('deleteUserName').textContent = username;
@@ -129,15 +164,13 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_adm
         try {
             const response = await fetch(`/api/manage/delete_user.php?id=${userId}`, {
                 method: 'DELETE',
-                headers: {
-                    'X-CSRF-Token': window.csrfToken
-                }
+                headers: { 'X-CSRF-Token': window.csrfToken }
             });
             const data = await response.json();
 
             if (data.success) {
                 showResponseModal('Success', 'User deleted successfully!');
-                fetchUsers();
+                loadUsers();
             } else {
                 showResponseModal('Error', data.message || 'Failed to delete user.');
             }
@@ -152,7 +185,7 @@ if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_adm
         new bootstrap.Modal(document.getElementById('responseModal')).show();
     }
 
-    fetchUsers();
+    loadUsers();
 </script>
 </body>
 </html>
\ No newline at end of file
diff --git a/app-code/api/manage/fetch_users.php b/app-code/api/manage/fetch_users.php
index 9376904..0a19db5 100644
--- a/app-code/api/manage/fetch_users.php
+++ b/app-code/api/manage/fetch_users.php
@@ -2,9 +2,8 @@
 header('Content-Type: application/json');
 include "../utils/security.php";
 secure_session_start();
-//check for permisisons
-if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session() ) {
-    echo(json_encode(['success' => false, 'message'=>'not authenticated']));
+if (!isset($_SESSION["logged_in"]) || $_SESSION["logged_in"] !== true || !is_admin_session()) {
+    echo(json_encode(['success' => false, 'message' => 'not authenticated']));
     exit();
 }
 include "../../config/config.php";
@@ -16,8 +15,24 @@ if ($conn->connect_error) {
     exit;
 }
 
-$query = "SELECT id, username FROM users";
-$stmt = $conn->prepare($query);
+$search = trim($_GET['search'] ?? '');
+$sort = $_GET['sort'] ?? 'id';
+$order = strtoupper($_GET['order'] ?? 'ASC') === 'DESC' ? 'DESC' : 'ASC';
+
+$allowedSorts = ['id', 'username'];
+if (!in_array($sort, $allowedSorts)) {
+    $sort = 'id';
+}
+
+if ($search !== '') {
+    $query = "SELECT id, username FROM users WHERE username LIKE ? ORDER BY $sort $order";
+    $stmt = $conn->prepare($query);
+    $like = '%' . $search . '%';
+    $stmt->bind_param('s', $like);
+} else {
+    $query = "SELECT id, username FROM users ORDER BY $sort $order";
+    $stmt = $conn->prepare($query);
+}
 
 if (!$stmt) {
     echo json_encode(['success' => false, 'message' => 'Failed to prepare statement']);
@@ -25,15 +40,14 @@ if (!$stmt) {
 }
 
 $stmt->execute();
-$result = $stmt->get_result();
+$stmt->store_result();
+$stmt->bind_result($id, $username);
 $users = [];
-
-while ($row = $result->fetch_assoc()) {
-    $users[] = $row;
+while ($stmt->fetch()) {
+    $users[] = ['id' => $id, 'username' => $username];
 }
-
 $stmt->close();
 $conn->close();
 
 echo json_encode(['success' => true, 'data' => $users]);
-?>
+?>
\ No newline at end of file