Ok, I should have been more specefic...
in reply to Re^2: Safely passing CGI form data to a shell command
in thread Safely passing CGI form data to a shell command
I was trying to say that, instead of removing whitespace and quoting special chars, I would define what I want to match an then throw out the rest. I think that if you're searching in a dictionary for an English word, you'll only need [A-Za-z-] (not exactly \w+) if I'm not missing something. It's always safer to get less than expected than get something unexpected, and for sure you (and me) are going to miss something.