There’s an SQL injection vulnerability in the following page on the class parameter:
http://www.proraiders.com/rf/us/index.php?rfp=1&class=Paladin
Not sure if there are any more as I haven’t really been bothered to check. I’d recommend using PDO and prepared statements.