I had a quick glance through the code, and I would reccomend you look at the following areas of the manual:
[man]trim/man: for cleaning up user input
[man]mysql_real_escape_string/man: for making your sql database a little bit safer.
Look here for lots of pages about Sql injection.
I think you should also look at your queries, at random, I looked at the query to change a password, I could see no mechanism to enforce unique passwords, if you ran that query then anyone who had the same password would get their password changed whether they wanted to or not, I would do a query like:
UPDATE admin
SET password='$new'
WHERE password='$old'
AND username = '$username'
That way at least the right combination would be changed, but again it would only work if you enforced uniqueness on the username.
Another thing you want to look at is your error reporting on failure of an Sql query, It's not a good idea to be giving information about the structure of the database when a query fails, it's fine for debugging, but if you look at the sql injection links you'll see why it's not a good idea in a production environment.
