I've been looking around and can't find a place that is showing me an effective way to do this. Currently I have a query that runs when the user submits a form:
$query = "UPDATE user SET username='$_POST[username]',
nicename='$_POST[nicename]',
email='$_POST[email]',
password=(SHA1)'$_POST[password]',
position='$_POST[position]',
race='$_POST[race]',
type='$_POST[type]' WHERE username=$_SESSION[admin_login]";
I'm not sure on how to get this to actually work correctly. Sorry if it's been asked before, but I can't find a good solution to this anywhere. Thanks in advance for any help.
First of all entire thing is wrong : Why?
Because first of all you need to sanitize the input, which you are not doing, atleast you should use mysqli_real_escape_string like this :
$nicename = mysqli_real_escape_string($connect, $_POST['nicename']);
Secondly you should encrypt the password before you use it in your query like assign your encrypted password to a variable and than use it in your query, like this :
$hashed_pass = sha1($_POST['password']);
//Query goes here
and last but not the least instead of using super global $_SESSION variable directly in your query, use concatenate it.. like this
WHERE username='".$_SESSION[admin_login]."'";