Your most important layer of database protection is not C2 but PHP. I'm not really sure what DUTOIT meant by "Don't pass login details via post. ", the big majority of websites authenticate using POST. It is obvious that plain POST data with no protection is dangerous for your server, but that's why there are number of ways to protect yourself. You can encode data, params, actions etc. You can add the hashKey/ApiKey/token (whatever you call it), You can (and should) use database library whith SQL Injection protection built in... etc.
There are really uncountable ways you can protect yourself from attacks, I suggest to google something regarding SQL Injection and XSS. This will help you understand how attacks work and you will surely find number of common ways to protect yourself.