In your case, I don't think it's safer. If $link was set by the user, he can set it to something like 'http://own3d.com ; format c:' (I just made that up). I'm not sure if that's a valid shell script in cmd.exe, but you get the picture. If you use the shell-safe construct, it would look to the shell like ie.exe 'http://own3d.com ; format c:', where $link is one paremeter. There's no chance for the use to do nasty things via the shell