Hi M'Tux,
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.
About SQLi, vars are passed this way:
Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the
PHP manual for more info.