To escape shell commands use the escapeshellcmd() and escapeshellarg() functions.

<?php
$user = "/usr/local; rm -f /";
$command = "ls -l ";

var_dump(
    escapeshellcmd($command . $user)
);

print "\n<br />\n";

var_dump(
    $command . escapeshellarg($user)
);
?>
Output
string(26) "ls -l /usr/local\; rm -f /"
string(27) "ls -l '/usr/local; rm -f /'"