The browser doesn't let you type those extra characters, but you can either post from a separate file/page or use Javascript to alter the form settings.

In my case, all i have to do is pick "Forms" -> "Remove Maximum Lengths" from the always visible web developer toolbar.

Reminds me a finished project i was handed down for greenlighting into active use some years ago when its original dev left. Instead of simply giving a go/no-go, i opted to construct a string ready for copy paste and just showed them:
* two mouse clicks to remove the form field limitations
* copy-paste the crafted username into login form
* press enter
=> logged into the application as superuser. As an additional bonus - the login crashed the logging subsystem, without invalidating the login itself -> leaving no traces.

Not blaming the original dev too much tho - he was not qualified to do the job and everyone involved knew it from the outset, they just though "how hard can it be?".

Unfortunately my host I use has no 3rd party libraries. The server is pure PHP / HTML5 / SQL

Pure PHP can call stored procedures on a SQL server, though. A stored procedure is much harder (next to impossible) to exploit because no matter what control characters and invalid input you send, you're not getting to tell the SQL server what queries to execute. What the server will be doing is already built into the stored procedure, you're only providing the data. You might be able to generate an error, and you might be able to post some rubbish data. But you won't be able to turn a query that verifies a password into a query that drops a table or overwrites grants.

And, pure PHP without stored procedures can prevent 99.9% of SQL attacks with one simple call to mysqli_real_escape_string if you don't want to use stored procedures.