this person owns their own business. he's not an advanced dev by any stretch of the imagination. he doesn't use version control, he's just starting to discover "frameworks" though i don't know if he really understands the concept yet. he taped together some php code that let him set a cookie marking himself as as admin, and a setting variable that allowed him to "debug" his code. this was essentially a form box at the bottom of the page that let him run arbitrary code at certain points -- all for the sake of not swapping back to his code editor, saving, swapping back to the browser, refreshing. the site that got attacked was so small i don't know how he was found. my guess is he posted for help on a bunch of forums and left links to his site. i thought it was funny that there was some pdo code in the site, because he'd outsourced to india for a couple months to handle his workload. i've known him for longer than i've known how to code and he has a pride issue with asking me for help in that area.
if you have a form input box that lets you update variable values with ajax like as if it were firebug, you can skip prepared statements. the overall point is that with enough ignorance and carelessness you can build an app that lets someone abuse every major vulnerability, while still thinking that you're secure, even using prepared statements for your own queries.