The way you’re using $wpdb->prepare
doesn’t help anything. You have to properly prepare the values and then add them like with sprintf
as %s
or %d
.
Oh, and I don’t believe “working with WP ajax for over a year.”. In this case you would also know about the nopriv
hooks for public usage 🙂
add_action( 'wp_ajax_nopriv_action_stats', ...