Look I am not trying to start a flamewar here, but if his code is developed without knowledge of sql injections then they are almost certainly vulnerable.
It is almost impossible to fuck up prepared statements, so although they take longer to write it is a good way to secure a website.
It is almost impossible to fuck up prepared statements, so although they take longer to write it is a good way to secure a website.