Also the code could have been added another way. Through an exploit or vulnerability in some code you have on your site either in a plugin, theme or custom script. The hacker could simply exploit that coding flaw and use it to add his code, which would technically not be code injection, but simply an exploitation of a flawed code on your website.
BPS is designed to protect against a direct attack, but if you have some coding on your website that allows something that it should not be allowing then this is called an exploit or vulnerability. The hack is done by exploiting the existing flawed code. This would not be a direct attack so there would be nothing indicating a hack was taking place therefore nothing to trigger BPS to block it.
BPS has blocked over 800,000+ hacking attempts on the AITpro websites in the last 3 years so BPS seems to be working pretty well. ;)