PHP offers the function escapeshellarg() to escape arguments to shell commands in a way that makes it impossible for an attacker to execute additional commands. However due to a bug in the function, this does not work with the windows version of PHP. Versions 4.3.6 and below are susceptible.
3665a6afbcf2c1f3e80aaebbd19c3b186545ef0c4c98f8e8daf399053845af2f