If you have a form that asks for a name, there is no reason a visitor should be able to enter numbers or special characters, especially characters like ' or < that have special meaning in SQL or HTML. If your developers' code checks the user's input for such characters and refuses them, attackers will not be able to inject HTML scripts into your web forms.