You could just get them to do pseudo code and give them something a little bigger.
The idea of doing a log in form and judging if they prevented against sql-injection is good!
I am assuming that each of the programmers knows enough about programming to get them by (since they made it through the interview and have some kind of intelligence).
But it's really easy to learn the programming side of things (straight language knowledge). I was doing it at 6 years old. And it's easy enough to pick up a refresher on a function name, or whatever. How many times have you Googled a function quickly because you just needed to be reminded of the parameter count or order?
What you want to be sure (and is much harder to teach) are things like best practices (like SQL-injection---lazy programmer to skip that!), creativity, thoroughness and adaptability.
I'd ask them to quickly outline an update page with various fields given from a database. You'll find out quickly a lot of things. If they're skipping things like SQL-injection, validation, if they have more than a fleeting knowledge (using things like filters or using depricated ereg replaces or something !). You'll also see if they have OOP skills or OOP thinking at least. Give them a quick example of the level of pseudo code you're looking for.
But lots of that can be accomplished in interview too. The things you work on in house - ask them how they would deal with that.
"You need to create a page which allows our customer to update entries in a database. How would you protect that database from accidental or purposed corruption?", "How would you validate the user's input?", "How would ensure that the page could be update in the future easily, by someone else?" - But give prompts when necessary.