Consider the following code snippet that I’m borrowing from an OWASP page on command injection:

The page claims “it is not possible to inject additional commands” so it must be secure!

And... it’s not. Good grief.