Once I saw
$username = $_REQUEST['username'];
$pass = $_REQUEST['password'];
$qry = "SELECT * FROM `user` WHERE `email` = '$username' AND `password` = '".(md5($pass)."'";
I stopped reading. This is horrible. There is no sanitation of user provided input, so it would be incredible easy to compromise your database. On top of that, the password is only hashed with MD5, which hasn't been reliable as a password hashing mechanism for years.
User input sanitation is quite possible the first and most important aspect of web development security. If the person didn't get this right, I personally wouldn't trust them to do anything properly.