Due care must be spent on sanitizing and escaping the arguments if they are not hard coded.

$file_name = 'file name';
system("program $file_name &");  # Oops!
[download]

Without due care, the code may not work, or worse, it could be vulnerable to injection attacks.

If you do that as

system qq[program "$filename" &];
[download]

It won't matter if the filename contains spaces or not. That's a simple programming problem and hardly worthy of description as "security issue".

As for "injection attacks", I assume that you mean if the source of all or part of the command supplied to the system command is an untrusted external source, then care must be taken. I fail too see how the start command is any more or less of a security risk to invoking an untrusted command directly?

If you get data from untrusted sources, don't you have to be just as careful invoking that data as a command directly as you do invoking it indirectly via a command shell?

---

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

I didn't say it was impossible. I didn't say it was hard. I was just giving a warning. And apparently it was warranted, since your code suffers from the very bug I mentioned. It will fail when the file name contains a double-quote.

If you get data from untrusted sources, don't you have to be just as careful invoking that data as a command directly as you do invoking it indirectly via a command shell?

You have one less thing to protect yourself against. By using system PRORAM, LIST, you don't have to worry about special characters.