An attacker can still craft a SQL injection attack even if a web application's input fields offer only predefined choices. Attackers may manipulate these inputs by intercepting the HTTP request and modifying the values before they are sent to the server or by using other attack vectors that don't rely on user input fields, like exploiting database vulnerabilities directly. Therefore, relying solely on predefined choices is not sufficient to prevent SQL injection attacks.