Again, never trust user data!
<?php
system("ls $dir");
?>
In this example you want to make sure that the user can't pass in
$dir set to something like: ".;cat /etc/passwd"
The remedy is to use escapeshellarg() which
places the argument inside single quotes and escapes any single quote
characters in the string.
<?php
$dir=escapeshellarg($dir);
system("ls $dir");
?>
Beyond making sure users can't pass in arguments that executes other
system calls, make sure that the argument itself is ok and only accesses data
you want the users to have access to.