@XSGeek - in my case I was too busy removing the fact that the previous "architect" created more SQL injection vectors, logic bottlenecks and other "quick hacks" to bother with.

One of those vectors, and the hardest to remove since he created several other sites that depended on it, was to allow straight SQL in an API POST.