When you say "could be pretty much anything", do you mean that reasonable submisisons could contain all the nasty stuff, or just that you don't know what the users will type?

If the former, keep it away from the shell. For that matter, keep it away from exec and system, too.

If the latter, don't allow it. And still keep it away from the shell, and exec and system. :-)