"It should be said, however, there's no evidence to suggest this was actually exploited in the real world."
Sure, maybe "no evidence", but still "highly likely", because such things are being found out invariably – either by accident or by trying – and once found out, these tricks will be making the rounds. To pranksters, creeps, criminals, and sleuths.
The usual playing down of these flaws. I'm surprised by the missing "Ibis Hotels takes the safety and security of our guests very seriously."
$sql = sprintf("select * from BOOKINGS where BOOKINGCODE like '%s'", str_replace("-", "%", $entered_code));