The page "login.php" can be exploited, allowing a user to inject malicious code.
Example: "login.php?user=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E"
To avoid this simply filtering the output data.
Reference: https://en.wikipedia.org/wiki/Cross-site_scripting