Be very careful executing commands if you're going to accept input from untrusted sources. If you feed system(), exec(), or backticks a scalar (non-array) argument, it goes to the system shell for interpretation. For instance, let's say you're trying to allow users to specify a file to run "ls -l" on:

# Instead of passing a file name, a malicious user sends
# another command
$user_input = "; rm -rf /";

# system() happily executes "ls -l" followed by "rm -rf /"
system("ls -l $user_input");
[download]

To avoid this, you should always pass array arguments to system() and exec():

$user_input = "; rm -rf /";

# In this case the user just gets a "no such file or
# directory" error
system("ls", "-l", $user_input);
[download]

Backticks are a bit trickier because there's no syntax to pass in an array argument. To safely capture the output of a command, use open() to fork off a child and exec() to execute the command:

# Bad
@output = `ls -l $user_input`;

# Good
if ($kidpid = open(PIPE, "-|"))
{
        # Parent process.  Read data from the child.
        @output = <PIPE>;
} else {
        # Child process.  Execute the command.
        die "could not fork" if !defined($kidpid);
        exec ("ls", "-l", $user_input) or die "exec failed: $!";
}
[download]

-Matt