When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious code is executed.