The wp text widget will not exec php code because it’s a major security hole. I hope you have that widget locked down tight so that only you can use it. If your blog admins are able to pick and choose their own widgets for their blogs you have a major problem.
Where’s your site? It does credit card processing? I’ll just sign up and snag some credit card numbers for the “Burt Wants a Porsche Fund”. Or “Burt’s Pissed Off At The Site Admin” scenario and I do:
$wpdb->query("DELETE FROM my_favorite_table_name");