: Ensure the script starts with session_start() and checks if the user is actually logged in before processing the change.
: A simple script might be vulnerable to Cross-Site Request Forgery. Ensure your form includes a hidden CSRF token.
: Never use a script that saves passwords as raw text.