Just sanitize the variables in SQL query where necessary sqlesc() or mysqli_real_string_escape() if you have converted over to mysqli and I believe try to use trim() around:
PHP Code:
$md5 = $_GET["secret"];
$email = $_GET["email"];
$sec = $row["editsecret"];
SQL ESC
PHP Code:
$res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '".sqlesc($id)."'");
[B]AND[/B]
SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = ' " . sqlesc($id)."' AND `editsecret` = " . sqlesc($row["editsecret"]));
NOT TESTED YET WILL TRY WHEN PC HAS ARRIVED 