Also, a database schema question... it appears that the intent is that the password column should be plaintext. Is there an explicit design reason for this? Wouldn't it be far better to encrypt the values stored there and run a database PASSWORD() function to check the match?
Yes. Theoretically it could pass the username and password and at least let you have access to the databases sha and md5 functions. >_<
Anyone listening to the HTTP requests would be able to extract the passwords also. You just need to look in the headers and base64decode it.
In any case you should have separate miner and account passwords.