A better would be to look through the string they send you and check for potentially harmful substitutions

Better than that is to filter everything except known-good characters, like we do when untainting data. In fact, the OP program should run under taint mode.