[aikah]

Could this problem be solved by quoting parameters ? I believe PDO has quoting capabilities when it comes to query parameters in prepared statements.i.e. one can state this parameters is a string , or an integer ....

[TacticalMalice]

The problem here is that placeholders are added to the query itself to match the amount of array items. These newly constructed placeholders inadvertently contained user data.

[aikah]

Oh yeah, I see it now,thanks.

They are naming the query placeholders based directly on the indexes passed in the querystring parameters?

And since indexes can be whatever string like ?name[DELETE FROM USERS]=foo&... ,you end up with an exploit ...