I'm working on a web application that has some api calls that send arguments for command line operations. For example, (using jquery), an api call like:

$.get('/api',{
function:function_1,
data:data
},funcion(){},'text')

might execute a command line like:

php a.php data

in that case, if the content of data was "whatever;rm -rf *;", two commands would be executed

1. php a.php watever;
2. rm -rf *;

And I don't want to take that risk.

My problem is not detecting when a character is part of the data string, my problem is knowing which chars should I look for?

I'm adding a list of shell command metacharacters. Please specify which characters are risky and which combination of characters (if any) are risky.

NOTE: Taken from: http://www.fmrib.ox.ac.uk/fslcourse/unix_intro/shell.html

The shell meta characters include:

\ / < > ! $ % ^ & * | { } [ ] " ' ` ~ ;

NOTE 2: There may be other characters, please, if you know another add it or comment and I'll add it.

NOTE 3: My problem is similar to what might happen with sql injection. when someone adds hidden querys inside search text-boxes, but in my case, the problem is with shell commands. To prevent sql injection you can look at this.

That's exactly what escapeshellarg is for.
http://www.php.net/manual/en/function.escapeshellarg.php

You are much better off trying to define what characters are allowed in the input, and check that the input only contains those, i.e. a "white-list" approach.