MySQL injection is not "bad", it is a deliberate excuse for people to lose their money.

It is deliberate because only by deliberately refusing to address the simplest most basic aspects of web app programming can it even become at all possible.

It is pretty much impossible to study how secure financial apps on the web are built without learning how NOT to make SQL injection possible, thus the only way to make it possible is to deliberately refuse to actually do secure web app development, instead opting to just spam out any garbage that looks pretty enough to sucker people into putting money into it so you can steal it and pretend it was someone else not yourself who stole it.

Any research at all into how to actually not steal people's money in web apps would cover MySQL injection.

So obviously the programmer knew full well what it was and how to prevent it and chose instead to make it possible.

It is not a "mistake", it is one of the first things anyone researchiong MySQL + Web apps is told to prevent and how to prevent.

-MarkM-