$_POST
and $_GET
arrays can contain dangerous data, so you need prepare data from these arrays before inserting them into DB.
First, you need typecast values to right data types. In PHP you can use followed constructions: (string)
for string data, (int)
and (float)
for numeric data, (bool)
for boolean data.
Field email
necessary checked for valid email, use Regex for it.
Follow code is sample of checking data:
<?php
$link = mysqli_connect('localhost', 'my_user', 'my_password', 'my_db');
$username = mysqli_real_escape_string($link, (string) $_POST['username']);
$nicename = mysqli_real_escape_string($link, (string) $_POST['nicename']);
$email = mysqli_real_escape_string($link, (string) $_POST['email']);
$email = preg_replace( '/^[_a-zA-Z0-9-]+(\.[_a-zA-Z0-9-]+)*@[a-zA-Z0-9-]+(\.[a-zA-Z0-9-]+)*\.(([0-9]{1,3})|([a-zA-Z]{2,3})|(aero|coop|info|museum|name))$/', $email );
$password = sha1((string) $_POST['password']);
$position = mysqli_real_escape_string($link, (string) $_POST['position']);
$race = mysqli_real_escape_string($link, (string) $_POST['race']);
$type = mysqli_real_escape_string($link, (string) $_POST['type']);
$admin = $_SESSION['admin_login'];
$query = "UPDATE `user`
SET `username`='$username',
`nicename`='$nicename',
`email`='$email',
`password`='$password',
`position`='$position',
`race`='$race',
`type`='$type'
WHERE `username`='$admin'";
mysqli_query($link, $query);
mysqli_close($link);