When writing scripts, whether they are CGI, PHP or even scripts written for other purposes you should be very careful when handling user input.
For example in a perl CGI script:
#!/usr/bin/perl
use CGI;
$user = param("user");
system("finger '$user'");
What happens if the user sets the user parameter to something containing ``';''?
It's not just system commands that we have to be carefull with .. what about expressions that we pass to an SQL interpreter? I've seen a PHP example program which you could exploit by generating a carefully crafted username containing a quote character followed by some SQL that caused it to login sucessfully even when the password was invalid.
The best way to deal with this is not to try to filter out bad characters, because you may forget some, but instead to limit the characters to a set that is known good - do usernames really need any characters other than letters and numbers? If not why not filter the input with something like
$user =s~/[^A-Za-z0-9]//g;