The admin login page is vulnerable to SQL injection.
mysql_query("INSERT INTO `admin_logs` (`admin_username`,`ip`,`browser`) VALUES ('".$_SESSION['username']."','".$_SERVER['REMOTE_ADDR']."','".$_SERVER['HTTP_USER_AGENT']."')");
This line is vulnerable to SQL injection if an attacker sends a custom user agent.
Edit: This is a recurring issue through out the script. Frequently the script records the user-agent without sanitizing it first.