Sure, his script might not call eval or system, but he's storing the data in a database, and who knows what is going to be done with that data? The next person may not be security aware.

If the data isn't suppose to contain those characters, you have nothing to lose by filtering them out.

Abigail