That was the bigger problem, IMO, in that even once PDO existed and the MySQL extension was "fixed" to have prepared statements, so much of the documentation still did it wrong.

And yet similar classes of bugs still pops up today, even with what I would've assumed to be safe defaults? I'm guessing its non-standard databases or DB clients or something?

This case is more just a pure lack of sanitisation, but it's fascinating to see in 2025 still :)