diff --git a/edit-mailbox.php b/edit-mailbox.php
index c24347bc..54d2817f 100644
--- a/edit-mailbox.php
+++ b/edit-mailbox.php
@@ -154,7 +154,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
       if(preg_match('/^(.*)@/', $fUsername, $matches)) {
          $formvars['local_part'] = $matches[1];
       }
-      $result = db_update('mailbox', "username='$fUsername' AND domain='$fDomain'", $formvars, array('modified'));
+      $result = db_update_q('mailbox', "username='$fUsername' AND domain='$fDomain'", $formvars, array('modified')); # TODO: check if we need the AND domain=... clause, if not, switch to db_update()
       $maildir = $user_details['maildir'];
       if ($result != 1 || !mailbox_postedit($fUsername,$fDomain,$maildir, $quota)) {
          $tMessage = $PALANG['pEdit_mailbox_result_error'];
diff --git a/functions.inc.php b/functions.inc.php
index c347847c..e9e356b2 100644
--- a/functions.inc.php
+++ b/functions.inc.php
@@ -1728,15 +1728,30 @@ function db_insert ($table, $values, $timestamp = array('created', 'modified') )
 /**
  * db_update
  * Action: Updates a specified table
- * Call: db_update (string table, string where, array values [, array timestamp])
+ * Call: db_update (string table, string where_col, string where_value, array values [, array timestamp])
  * @param String - table name
- * @param String - WHERE condition
+ * @param String - column of WHERE condition
+ * @param String - value of WHERE condition
  * @param array - key/value map of data to insert into the table.
  * @param array (optional) - array of fields to set to now() - default: array('modified')
  * @return int - number of updated rows
  */
-function db_update ($table, $where, $values, $timestamp = array('modified') )
-{
+function db_update ($table, $where_col, $where_value, $values, $timestamp = array('modified') ) {
+    $where = $where_col . " = '" . escape_string($where_value) . "'";
+    return db_update_q ($table, $where, $values, $timestamp = array('modified') );
+}
+
+/**
+ * db_update_q
+ * Action: Updates a specified table
+ * Call: db_update_q (string table, string where, array values [, array timestamp])
+ * @param String - table name
+ * @param String - WHERE condition (as SQL)
+ * @param array - key/value map of data to insert into the table.
+ * @param array (optional) - array of fields to set to now() - default: array('modified')
+ * @return int - number of updated rows
+ */
+function db_update_q ($table, $where, $values, $timestamp = array('modified') ) {
     $table = table_by_key ($table);
 
     foreach(array_keys($values) as $key) {
diff --git a/model/AliasHandler.php b/model/AliasHandler.php
index a8940428..87adcde2 100644
--- a/model/AliasHandler.php
+++ b/model/AliasHandler.php
@@ -167,7 +167,7 @@ class AliasHandler {
             $alias_data = array(
                 'goto' => $goto,
             );
-            $result = db_update('alias', "address = '$E_username'", $alias_data);
+            $result = db_update('alias', 'address', $this->username, $alias_data);
         }
         if($result != 1) {
             return false;
diff --git a/model/UserHandler.php b/model/UserHandler.php
index e153d38e..bebed206 100644
--- a/model/UserHandler.php
+++ b/model/UserHandler.php
@@ -28,17 +28,14 @@ class UserHandler {
      * as per the configuration in config.inc.php
      */
     public function change_pw($new_password, $old_password, $match = true) {
-        $username = $this->username;
         list(/*NULL*/,$domain) = explode('@', $username);
 
-        $username = escape_string($username);
+        $E_username = escape_string($this->username);
         $table_mailbox = table_by_key('mailbox');
         
-        $new_db_password = pacrypt($new_password);
-
         if ($match == true) {
                 $active = db_get_boolean(True);
-                $result = db_query("SELECT password FROM $table_mailbox WHERE username='$username' AND active='$active'");
+                $result = db_query("SELECT password FROM $table_mailbox WHERE username='$E_username' AND active='$active'");
                 $result = db_assoc($result['result']);
                 
                 if (pacrypt($old_password, $result['password']) != $result['password']) {
@@ -49,10 +46,10 @@ class UserHandler {
         }
         
         $set = array(
-                'password' => $new_db_password
+            'password' => pacrypt($new_password) ,
         );
 
-        $result = db_update('mailbox', 'username=\''.$username.'\'', $set );
+        $result = db_update('mailbox', 'username', $this->username, $set );
 
         if ($result != 1) {
             db_log ('CONSOLE', $domain, 'edit_password', "FAILURE: " . $this->username); # TODO: replace hardcoded CONSOLE - class is used by XMLRPC and users/