The problem is not that this query was not escaped, the problem was that: 1) unparametrized queries are allowed in code, 2) user input is obviously not properly checked in all cases and 3) that WAF (Web Application Firewall) was not used / set up properly.
Other than that, thanks to OP for in-depth writeup - it helps to be reminded from time to time why security matters.
Not using placeholders should be an automatic fail of any code review. Period.
Without placeholders the risk is way, way too high. A single mistake can be the end of your entire application if not career.
Don't think "Oh, this is just test code, I'll fix it later" and leave a vulnerability in your application. Always write using placeholders. No exceptions.
Are you implying that there's a way to get past escaping...? That's a new one to me. I thought escaping was precisely so you can put any value in a string and have it still work.
Yes, but you had better be 100% sure that your escaping function is completely reliable, and the server hasn't introduced some new syntax since you wrote it that you aren't escaping properly.
I would trust parameters much more (although I have used proper escaping in the past).
A few popular database drivers use escaping under the hood for parameterized query arguments. mysql2 ruby gem (and any rails stack on top of it) for example.
This should be "failure to use parameterised queries." The term 'unescaped' may lead some to think that simply escaping characters is sufficient.