Picking a development framework and re-implementing the application using that will significantly improve the maintainability of an application.
If you want a way of justifying this from a cost perspective, do an audit with a SQL injection testing tool and you'll probably find a million things wrong. Some of these things will be so terrifying you'll be tempted to just burn the codebase to the ground and start over.
The best approach is to migrate, feature by feature, page by page, from the old application to the new one. Often you can do this by creating a content map, adding rewrite rules to map particular URLs to the legacy code, then start deleting these rules one by one as they're no longer required.
Remember to have a robust mapping table if you ever change URLs. Returning a 301 Permanent redirect is the best way to do this.