If you want to avoid situations like the one described by @robert you may want to disable `shell_exec` and -as a consequence- the backtick operator.
To do this just edit the `php.ini` file and add `shell_exec` to the `disable_functions` setting:
; This directive allows you to disable certain functions.
; It receives a comma-delimited list of function names.
; https://php.net/disable-functions
disable_functions = "shell_exec"
Then you can still use `exec()` to run terminal commands.