What are potential security risks associated with using exec or system commands in PHP?

Using exec or system commands in PHP can pose security risks such as command injection attacks, where an attacker can manipulate input to execute arbitrary commands on the server. To mitigate this risk, it is recommended to use escapeshellarg() or escapeshellcmd() functions to sanitize input before passing it to exec or system commands.

$command = 'ls ' . escapeshellarg($user_input);
exec($command);