Considering you might not have access to modify that program's source code or might not know exactly what the code in the program will do, I suggest not only using the qx method, but also untainting any data you might also pass to the program.

CGI is always tricky. Users will find every vulnerability, eventually. Don't use backticks, unless everything in between them is in no way modifiable. Same with qx. Be wary of user-submitted input. Hope this helps.

John J Reiser
newrisedesigns.com