[TacticalMalice]

The problem here is that placeholders are added to the query itself to match the amount of array items. These newly constructed placeholders inadvertently contained user data.

[aikah]

Oh yeah, I see it now,thanks.

They are naming the query placeholders based directly on the indexes passed in the querystring parameters?

And since indexes can be whatever string like ?name[DELETE FROM USERS]=foo&... ,you end up with an exploit ...