[TacticalMalice]

The key was used to name expanded placeholders. The intent was to get "placeholder_1", "placeholder_2" ... "placeholder_N" in the query for the number of elements in the argument array.

However, arrays can have non numerical keys. This results in "placeholder_KEY", "placeholder_KEY2".

If Key is a SQL query fragment, that ends up verbatim in the placeholders section.

Suppose you pass $_GET['foo'] as a query argument. An attacker can (simplified) supply ?foo[EXPLOIT] and poof, $_GET['foo'] is an array with 'EXPLOIT' among the keys that suddenly gets into the query verbatim.