The way you’re using $wpdb->prepare doesn’t help anything. You have to properly prepare the values and then add them like with sprintf as %s or %d.
Oh, and I don’t believe “working with WP ajax for over a year.”. In this case you would also know about the nopriv hooks for public usage 🙂
add_action( 'wp_ajax_nopriv_action_stats', ...