The root cause of the bug here is not sql injection. Its that one of the query functions is overloaded to do different things depending on what datatype you pass to it and that the user can manipulate that datatype (for example, by passing an object in a part of a JSON message that would usully conatin a string). Of course, this is only really serious if one of the overloads gices too much power (in this vulnerability's case it would let you run an arbitrary query)