If the attacker wants to receive some output of the database he could combine an sql injection with an html injection. First inject malicious html in the databse, then the html will be put in the site ...