I only spent a couple of minutes looking at the code here.. I don't know much about PHP or db_update function, so I could be wrong, but this seems a bit suspect to me.
Can you verify whether this is accepting a POST request from a user and then directly including the user input in a database update with the only validation performed being a check for whether or not it begins with a number?
https://github.com/wlox/wlox-api/blob/master/htdocs/api.php#L9https://github.com/wlox/wlox-api/blob/master/htdocs/api.php#L28This seems dangerous, like a potential SQL injection.
While open source software is great for large projects that get lots of eyeballs on them, utilizing a smaller project like this exposes you to a lot of risk. There are what, 2-3 contributors to safeguard how many users in your target market? Once there is any amount of financial incentive behind inspecting the code base, such as this code going live somewhere, malicious users will spend countless hours peering through the code for the most miniscule errors that could lead to a compromise. They'll setup testing environments locally so that their actions aren't detectable until the deed is done.
You should really investigate how the project is managed a bit more, as well. There appears to be no testing methodology in place.. zero code coverage. The repository is setup with only the single master branch, which means that any work on new features or changes aren't separated out until they can be confirmed as valid/secure/non-breaking before getting merged...
Just be careful here.. You're working with people's money.