And they can't really execute and PHP code unless your are stupid enough to use eval() on the comment string. They can however try to print out variables such as DB passwords and also use malicious HTML and JS. addslashes() and htmlentities() can counter this.