It looks as though the application doesn't enforce security and SQL injection is possible, amongst other vulnerabilities.
E.g. look at
$userData = $db->select()
->from(array('a' => 'main_users'),array('aid' => 'a.id'))
->joinInner(array('r'=>'main_roles'), 'r.id=a.emprole',array("def_status" => "if(r.group_id in (1,5) and a.userstatus = 'new','old',a.userstatus)"))
->where("a.isactive = 1 AND r.isactive = 1 AND a.emptemplock = 0 AND (a.employeeId = '".$corpEmail."' OR a.emailaddress = '".$corpEmail."')");
$new_userdata = $db->select()
->from(array('ac'=>$userData),array('count'=>'count(*)'))
->where("ac.def_status = 'old'");
$statesData = $this->select()
->setIntegrityCheck(false)
->from(array('s'=>'main_states'),array('s.*'))
->joinLeft(array('c'=>'tbl_countries'), 's.countryid=c.id',array('country_name'=>'c.country_name'))
->where($where)
->order("$by $sort")
->limitPage($pageNo, $perPage);
By inputting malicious parameters values, the application can be forced to perform arbitrary SQL queries which can compromise the entire HRM.
Am I missing something here? is there some global input validation or security module used to protect against this that I didn't notice?