You should make your login.php check to make sure the username/password are legit.