Command injection is a technique, which allows an attacker to execute system commands by abusing an application feature. The injection typically occurs when the developer is using user input to construct an executable command specific to the pseudo system shell in use.
This technique allows execution of arbitrary commands with the same privilege as the user under which the targeted application is running.
Due to the flexibility and expressiveness of the pseudo system shell it is often not possible to create comprehensive method that can be used to sanitize user input safe for inclusion in dynamically constructed commands. Therefore, it is recommended to avoid such usage.