diff --git a/src/api/users.py b/src/api/users.py
index fe4fad5..393f580 100644
--- a/src/api/users.py
+++ b/src/api/users.py
@@ -7,6 +7,8 @@
 DB_PATH = "billing.db"
 # Columns the database exposes, including `is_admin` and `balance_cents`.
 USER_COLUMNS = ("email", "display_name", "phone", "is_admin", "balance_cents")
+# Only allow users to update safe, non-privileged fields.
+ALLOWED_UPDATE_FIELDS = ("email", "display_name", "phone")
 
 
 @users_bp.patch("/<int:user_id>")
@@ -14,17 +16,7 @@ def update_user(user_id: int):
     """Update a user's profile."""
     body = request.json or {}
 
-    set_clause = ", ".join(f"{k} = ?" for k in body.keys() if k in USER_COLUMNS)
-    values = [body[k] for k in body.keys() if k in USER_COLUMNS]
+    set_clause = ", ".join(f"{k} = ?" for k in body.keys() if k in ALLOWED_UPDATE_FIELDS)
+    values = [body[k] for k in body.keys() if k in ALLOWED_UPDATE_FIELDS]
     values.append(user_id)
 
-    if not set_clause:
-        return jsonify({"error": "no valid fields"}), 400
-
-    conn = sqlite3.connect(DB_PATH)
-    try:
-        conn.execute(f"UPDATE users SET {set_clause} WHERE id = ?", values)
-        conn.commit()
-    finally:
-        conn.close()
-    return jsonify({"updated": user_id, "fields": list(body.keys())})