The CFDB plugin relies on the form plugin (CF7 or other) to screen out bad form submissions. The assumption I make is that CF7 will *not* notify CFDB of bad form submissions and therefore they will not be saved. CFDB by design makes no judgement about the validity of a submission in part so that it will not disagree with the form plugin (causing inconsistent result like email but no saved entry) and in part to simply not re-invent the wheel.
From what I've seen, spam and other bad submissions generally get filtered out of CF7 and don't go into the DB. This is done by Aksimet identifying it as spam or by the inclusion of a CAPTCHA in the form (Really Simple CAPTCHA plugin) to avoid automated programs from submitting.
But is sounds like you see a case where it does. Is this case just when there is PHP code in the submission? I'm not sure I follow the the specifics from your post. Perhaps you can detail a specific scenario with actual form/fields/data. It might then suggest a fix to CF7.
Someone could spam the database with invalid entries if they pass through the form plugin's spam filter and validations, but they could also spam the DB with valid submissions. So stopping all invalid entry, while useful, doesn't solve the more general problem. Including a CAPTCHA is the best defense. It at least ensures a human is doing the submissions and its is tiresome to spam someone manually.
That being said, I'm interested in understanding a specific example of the case you describe.