Code injection can occur when using dynamic data in calls to system() and related
Counter Measures
• Limit or remove use of system(), exec(), eval(),back tick(‘), and shell_exec()
• escapeshellarg() to escape arguments
• escapeshellcmd() to escape commands