If used only in the context, there's no way to execute malicious code from the user input.
Its not possible to just execute arbitrary code by being able to alter a string. Only when you output the string directly, or use it in SQL should you be really worried.