#!/usr/bin/perl -w
use strict;

# malicious input
my $dir = '/tmp; echo "GOT YA"';

# system using shell
print "AS STRING\n";
system("ls $dir");

# system w/o the shell
print "\nAS LIST\n";
system('ls', $dir);

=OUTPUT
AS STRING
  [snip -- same as `ls /tmp`]
GOT YA

AS LIST
 ls: /tmp; echo "GOT YA": No such file or directory