Command injection attacks occur when user input is used to construct commands for execution, without being properly quoted and escaped.
With a command injection vulnerability, an attacker may be able to execute any arbitrary commands in the context of the web server. This often leads to complete control of a server.
Whenever possible, user input should not be permitted in the construction of commands. If this is absolutely necessary, it is imperative that you quote the input and escape any quotes, backticks, and other special characters.