MySQL injection is not "bad", it is a deliberate excuse for people to lose their money.

It is deliberate because only by deliberately refusing to address the simplest most basic aspects of web app programming can it even become at all possible.

It is pretty much impossible to study how secure financial apps on the web are built without learning how NOT to make SQL injection possible, thus the only way to make it possible is to deliberately refuse to actually do secure web app development, instead opting to just spam out any garbage that looks pretty enough to sucker people into putting money into it so you can steal it and pretend it was someone else not yourself who stole it.

Any research at all into how to actually not steal people's money in web apps would cover MySQL injection.

So obviously the programmer knew full well what it was and how to prevent it and chose instead to make it possible.

It is not a "mistake", it is one of the first things anyone researching MySQL + Web apps is told to prevent and how to prevent.

Thus there is probably no point even trying to "help" the perpetrator make a secure system since it is already more than obvious that they WANT there to be a way to hack, because they WANT something to point to as an "explanation" of how it could theoretically not have been an inside job.

No matter how many exploits you explain how to prevent, they will find another one, or will pretend to have made a silly error in implementing what you explained, or whatever they can do to create a loophole they can point to so as to pretend it is not them who is stealing people's coins.

Remember too this is a serial scammer/thief, gosh knows how many times over already.

-MarkM-