If you are allowed and using exec or system command then you should escape the user provided data for any special characters using escapeshellarg()

$cmd = "ls escapeshellarg($user_input)";
system($cmd);

Without escaping user can pass any malicious input and that would get executed on your server.