SQL injection isn't the only situation in which hackers can elevate data to a command level in order to execute an attack. Web applications, for example, have to constantly guard against what can happen when end-user input is collected then redisplayed for other users (typically after it's been saved to a database).
Here's a simple example of how exploits against web applications can function: Suppose that a blog engine allows visitors to comment on posts. This blogging engine stores user comments in a database and then redisplays them to subsequent visitors. A comment such as "nice post!