Did I misunderstand the approach or is it sort of risky as it uses escaping instead of bind parameters to create the query to be explained, potentially opening itself to SQLi?
There's a mention of injection considerations in both the article and code snippet. The article is definitely a sketch of a cute approach and doesn't claim to be a full production solution.
code_biologist|4 years ago