I mean, its just SQL injection all over again, if your method of communication can be escaped, it will.