PHP 2008

Asked to look and move the site, written by one system administrator. The site is written in php without a bare framework. What do you say friends? At the yard - in 2008, and within - solid global variables. And type: INSERT INTO ... ". $ _GET [" Param1 "] - and does, at every turn. As their site is not hacked so far - do not understand