Hello. I recently got hacked because of my carelessness. The person used Ajax and javascript to get my password and username variables and then logged into people's accounts. They typed this code into their profile and then when people viewed it, the information was sent to them through 'Starmail', the personal messaging system on my website.

I was wondering if there is anyway to protect against this kind of thing. I would like to still allow HTML, CSS, and javascripts that don't kill my site in user profiles, but how should I go about preventing other things like Ajax and other php codes? Thanks!

It depends on the application. Some functions you might want to check out:
strip_tags() (http://php.net/strip_tags)
htmlentities() (http://php.net/htmlentities)
mysql_real_escape_string() (http://php.net/mysql_real_escape_string)
addslashes() (http://php.net/addslashes)

I don't think I would allow any Javascript in profiles at least posted Javascript. There might be a way that you could provide some preset behaviors for people to insert into a personal profile, if you wanted to come up with some sort of API. Get some feedback on what kind of Javascript related behavior users would like to have and come up with a way that they could include it using your own code.

Consider using something like BBCODE to limit the type of markup that is posted and provide your own selectable CSS themes. It's your site, customizable as it might get, you should still exercise some control over the content.