Yup, and there we can see the password is just splatted in with no salt. 99%+ the password is an injection attack too, but one only needs one set of the keys to the kingdom to make the point, so the article never discusses getting in via password instead and the author may well never have checked, because it couldn't make things any worse.