PDO isn't a safeguard against SQL injection. You can still write utterly dangerous injectable queries all you want in PDO, and PDO won't care.
What PDO does is provide TOOLS that allow you to write queries safely.
But don't go blame PDO if it providers a safe hammer, and then you go on using your forehead to drive in some nails. PDO did its job and provided the tools, you're the one with nail holes in your skull.