diff --git a/auth/db/auth.php b/auth/db/auth.php
index 5c2fe8c5eaedf..13da0f4b9ead2 100644
--- a/auth/db/auth.php
+++ b/auth/db/auth.php
@@ -603,9 +603,12 @@ function user_update($olduser, $newuser) {
             }
         }
         if (!empty($update)) {
-            $authdb->Execute("UPDATE {$this->config->table}
-                                 SET ".implode(',', $update)."
-                               WHERE {$this->config->fielduser}='".$this->ext_addslashes($extusername)."'");
+            $sql = "UPDATE {$this->config->table}
+                       SET ".implode(',', $update)."
+                     WHERE {$this->config->fielduser} = ?";
+            if (!$authdb->Execute($sql, array($this->ext_addslashes($extusername)))) {
+                print_error('auth_dbupdateerror', 'auth_db');
+            }
         }
         $authdb->Close();
         return true;
diff --git a/auth/db/lang/en/auth_db.php b/auth/db/lang/en/auth_db.php
index d3f8a835bbf8d..75c5c2636ad63 100644
--- a/auth/db/lang/en/auth_db.php
+++ b/auth/db/lang/en/auth_db.php
@@ -74,5 +74,6 @@
 $string['auth_dbcannotreadtable'] = 'Cannot read external table.';
 $string['auth_dbtableempty'] = 'External table is empty.';
 $string['auth_dbcolumnlist'] = 'External table contains the following columns:<br />{$a}';
+$string['auth_dbupdateerror'] = 'Error updating external database.';
 $string['pluginname'] = 'External database';
 $string['privacy:metadata'] = 'The External database authentication plugin does not store any personal data.';