On the surface this looks like a very creative way to do an SQL injection attack. However, it's a real stretch to assume that the text that is OCR'ed from the picture is ever used in an execution context as SQL program code.
The way those types of attacks work is that you have to exploit some weakness in the input parsing part of the system and get the SQL code injected into something that might be used as SQL program code. Crucial point in this type of attacks is that the format of the input is not defined but can be anything.
In this case I don't see such potential because the input format is very well defined, pictures in certain picture format and I would assume that the OCR'ed text is just stored in a table and it's just "data".