"Notice that we added a DOCTYPE to tell browsers what kind of document we have. We picked 4.01 Transitional because of its flexibility to allow deprecated elements, like <font>."
If you know PHP, you know that you shouldn't be doing it like that. He sounds like a novice. There's nothing wrong with that, but when looking at that kind of thing I would take an opinions as a grain of salt
It doesn't really matter what the language is, SQL injection vulnerabilities are serious in any language. A competent web developer understands that -- especially a "Programmer Extraordinaire".
If you know PHP, you know that you shouldn't be doing it like that. He sounds like a novice. There's nothing wrong with that, but when looking at that kind of thing I would take an opinions as a grain of salt