There can't be command injection if there's no command -- do you really need to run an external program?

Plenty of PHP built-ins for file operations:

%mkdir()%

%rmdir()%

%copy()%

%move()%

%unlink()%

%chmod()%

%chown()%

%chgrp()%

%...%