understanding security

[regdude]

Hi!

Recently I found a site - hackthissite.org

It's a site where you can test your hacking skills.

But I'm not here to spam about that site, but I'm more worried about my own security.

I have been working on a simple admin page where I can edit info that comes from MySQL and is shown to people world wide in a diferent web(like an admin cp).

My past could go bit in time when everything had holes and it was actually easy to hack a beginner in PHP, times changed and most of PHP bugs ar fixed and thank god, because that guy could be me now.

There are some similar things in that site that I used(I found some tutorials and used them, kinda funny ^^) and now makes me worry, because everything seems to be buggy after that test.

For starters, I have a simple page that uses $_GET and it looks something like this: stuff.php?page=1.

Hack showed that it is possible to make a SQL injection at the end, after '1'.

That didn't work, because there were no connections with page numbers or the content.

Then comes login script... this makes me worry :/

My login script is the simplest you can imagine - checks if the password matches with the hashed(md5) password in the DB, no sesids or cookies.

Now this could be a big hole, but sessions should do it, right?

I'm not sure how sessions work, once I made a site that had sessions, but after reading tutorials in this forum about security(about session id's) I found that there are session id's and they can be regenerated.

Now this I don't understand and it would be nice if someone would explain me or give me a diferent tutorial about that.

Next thing was SQL injections in a registration form - mysql_real_escape_string was the answer, but what can I to not mess up the DB, because after mysql_real_escape_string there will be '?' in the username place, how could reject this?

Is there anything else I should need to know making my websites? (I don't use XSS, javascript. I use HTML, MySQL, PHP, CSS)