Sometimes, yes. If a website has a box where you type something in (like a name, address, password etc) that text then goes to the server. If the website wasn’t built carefully to filter out certain text or symbols, the hacker could put in code in that box, then when the server gets it, it will execute that code.

Even worse, if the website takes what you enter then uses it to display something back to you, that could be tricked into displaying back to you sensitive information. For example, you type in your name, then it says “welcome name”, if you instead of typing in your name, type in code for give me a list of everyone’s password, it might display : “Welcome user001: password user002: p@ssword user003:passw0rd”

Or course there are other methods, but this is the eli5 example. This is not a very sophisticated attack, and it’s one of the first things you learn as a software engineer to guard against, but back in the day this was the source of a lot of data leaks.