I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.
We all underestimated just how "open" OpenEx.PW was, I don't think r3wt meant it so literally. My question is, regardless of his ability to code, didn't he TEST it before launching? Some of these bugs were painfully obvious. Just from using the sites functionality as intended, ppl were getting double credits and such.