Since you asked, threw this example on filtering together real quick...
<?php
// Basic system(); with basic filtering (lol)
extract($_POST);
echo('<h1>system blah</h1><br><br>');
if ($submit != "gogo")
{
echo('<form action="" method="POST"><input type="text" name="system" value=""><br><input type="submit" name="submit" value="gogo"></form>');
}
else
{
if (strpos($system, ";") === false && strpos($system, "|") === false && strpos($system, "&") === false)
{
$output = system("$system");
echo($output);
}
else
{
echo("I see what you did there...");
}
}
?>
Just makes sure that there aren't any characters in there that would allow someone to execute commands that you don't want them to... I might've missed some way they could sneak something in there though so don't completely rely on me.