A Basic Code Review Challenge: How many vulnerabilities are you able to spot.

vulnerable.php

<?php
session_start();
extract($_GET);

$pdo = new PDO('mysql:host=localhost;dbname=test', 'root', 'toor');

if($action == 'login2') {
    $statement = $pdo->prepare("SELECT * FROM users WHERE email = '".$email."'");
    $result = $statement->execute();
    $user = $statement->fetch();

    if($user !== false and $user['password'] == $password) {
        $_SESSION['userid'] = $user['id'];
        $_SESSION['name'] = $user['name'];
    } else {
        if($user == 'admin' and $password == 'fatcat') {
            $_SESSION['userid'] = 0;
            $_SESSION['name'] = $user['admin'];
        }
        echo "The User '".$email."' does not exist";   
    }
} elseif($action == 'changepw2')) {
    $statement = $pdo->prepare("UPDATE user SET password= :password WHERE id= :uid");
    $result = $statement->execute(array(
        'password' => $_POST['password'],
        'uid' => $_POST['uid']
    ));
}

if($debug) {  echo "<!--";var_dump($_SERVER); var_dump($_SESSION); var_dump($_GET); var_dump($_POST); echo "-->";  }
?>
<html>
    <head>
        <script src="jquery-2.2.4.min.js"></script>
    </head>
    <body>
<?php
if($_SESSION['userid']) {
     echo "Welcome ".$_SESSION['name'];
}

if($action == 'login') {
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>?action=login2">
Email: <input type="text" name="email" /><br />
Password: <input type="password" name="password" /><br />
</form>
<?php
}
        
if($action == 'changepw') {
?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>?action=changepw2">
New Password: <input type="password" name="password" /><br />
<input type="hidden" name="uid" value="<?php echo $_SESSION['userid']; ?>" />
</form>
<?php
}
?>
    </body>
</html>