Just to go a little further down this rabbit hole.

First, sanitize your inputs and use parameterized queries. Just fix your code. This is the most important thing you should be working on right now.

Second, moving the login page doesn’t fix the problem. If there are other pages within your site that are accessible, then I’m sure you have other sql injection issues. See #1 above.

Third, I bet you are exposed to all manner of other things like XSS. Take a little bit and learn what they are. Then spend some time retraining yourself to code in a defensive way. A hint: validate EVERYTHING. If you expect a number, only accept a number. If you expect a short string, don’t allow javascript to be embedded in it.

One mantra to keep in mind is to only trust the browser, the users, and even the system admins as far as you absolutely have to. Which is to say build your site in such a way that you don’t have to trust them at all.

Most companies have no idea what threats they are faced with. A hint: external threats or only part of it. Internal threats are usually far worse. I say this simply because you are asking a question which attempts to paste over exactly one part of the problem and ignores everything else.

I recently spoke with a company that claimed they had security down pat. Prior to the meeting I went to their website and noticed that they had a document id in all of their URLs. The id was a simple int. In a few minutes of spare time I wrote an app that started at doc id 1 and iterated until the server stopped giving data. There was a fair number of documents I should never have been able to see. Being a good samaritan, I told them about this.

The point of that tale is that sql injection, xss, etc isn’t everything. Security through obscurity is another fail entirely.