# Instead of passing a file name, a malicious user sends
# another command
$user_input = "; rm -rf /";

# system() happily executes "ls -l" followed by "rm -rf /"
system("ls -l $user_input");