Protection against SQL injection is an absolute necessity. I've been taught that security is not just a layer that you slap on, but an integral part of any application. Allowing raw user input into a database is not only dangerous for the entire database schema and the information stored therein, but allows for the theft of personal user information including, but certainly not limited to, names, email and home addresses.
A single malicious query to your database could completely wipe out any information stored as well as all the tables in which it is stored.
Just imagine if freelancer didn't protect against injection, this:
'drop database databasename;
Could wipe out everything.
Care should also be taken to ensure the server (likely Apache) is secured as well.
It probably wouldn't take the entire two days to complete this task.