The post states that it is not exploitable through user input via params. They could show you the source code, but I don't know if that would be proof for you. You said that you are assuming it can be exploited, so someone should show it.
Respectfully, what do I care what the author thinks of this vulnerability? Even if they had found the SQLI condition originally (they didn't), that wouldn't mean they fully understood the exposure.
