Hi M'Tux,
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.
About SQLi, vars are passed this way:
isset($_POST['user']) && trim($_POST['user']) ? $user = makeSQLSafe(trim($_POST['user'])) : $e[] = "Username missing!";
//... which means to call the function bellow
function makeSQLSafe($str){
if(get_magic_quotes_gpc()) $str = stripslashes($str);
return mysql_real_escape_string($str);
}
?>
Is there a reason you're going this way and inserting variables directly into queries (which always open up the possibility of SQL injections) instead of using mysqli prepared statements which includes general string/number type checking as well?