Access Denied: You are not Admin!"); // Cast + whitelist the access level. $_POST['access'] was injected raw into // the UPDATE below (SQL injection). Only accept the values the admin form // offers: 0=Banned, 2=Normal user, 8=Multihunter, 9=Admin. $access = (int) $_POST['access']; if (!in_array($access, array(0, 2, 8, 9), true)) { die("Invalid access level"); } mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET access = ".$access." WHERE id = ".$id."") or die(mysqli_error($database->dblink)); header("Location: ../../../Admin/admin.php?p=player&uid=".$id.""); ?>