That reminds me of all the SQL injection vulns that we used to blame on PHP. As PHP becomes less popular, and the same/similar vulnerabilities remain, I realise it's more just bad practices (though ~2000-early 2010s PHP really was pretty rough when it came to creating those holes, but that might just be a function of how popular it was!)
Nice work on finding it :)
PHP was blamed for a good reason: for a long time it did not by default support prepared SQL statements. You could install the mysqli extension to gain such support but that was almost never available on shared web hosts.
And every tutorial you could find on how to use PHP with a database was a tutorial on how to add SQL injection to your site.
That was the bigger problem, IMO, in that even once PDO existed and the MySQL extension was "fixed" to have prepared statements, so much of the documentation still did it wrong.
And yet similar classes of bugs still pops up today, even with what I would've assumed to be safe defaults? I'm guessing its non-standard databases or DB clients or something?
This case is more just a pure lack of sanitisation, but it's fascinating to see in 2025 still :)