...
Consequently, command injection attacks cannot succeed unless a command interpreter is explicitly invoked. However, argument injection attacks can occur when arguments have spaces, double quotes, and so forth, or when they start with a - or / to indicate a switch.
This rule is a specific instance of IDS00-J. Prevent SQL Injection. Any string data that originates from outside the program's trust boundary must be sanitized before being executed as a command on the current platform.
...