The problem is not that this query was not escaped, the problem was that: 1) unparametrized queries are allowed in code, 2) user input is obviously not properly checked in all cases and 3) that WAF (Web Application Firewall) was not used / set up properly.
Other than that, thanks to OP for in-depth writeup - it helps to be reminded from time to time why security matters.
The problem is not that this query was not escaped, the problem was that: 1) unparametrized queries are allowed in code, 2) user input is obviously not properly checked in all cases and 3) that WAF (Web Application Firewall) was not used / set up properly.
Other than that, thanks to OP for in-depth writeup - it helps to be reminded from time to time why security matters.