wheel - 2:48 pm on Jun 13, 2011 (gmt 0)
although I expect that will cost more then just the fee to fix it?
More than the fee to fix it, plus any potential future vulnerabilities?
I think it's fair enough that they charge you for their time to fix it (though 3 days? That's seems excessive to me). But in 2008, it'd seem that they should've done a check for mysql injections before launching the code. Not doing so seems pretty delinquent to me.
In other words, if you're going to keep them, pay them. But consider moving on (though now may not be the time to move - first thing is get the site back online).