Occasionally, I use exec(), shell_exec(), and curl_exec(). Below are typical uses. Assume that where ever I have a PHP variable in them (i.e. $html in the first one), there is a chance that the user has the ability to modify its content.

What should I be concerned about from a security vulnerability perspective? Is escapeshellcmd() and escapeshellarg() the answer, and if so where should it be used?

$cmd='echo "html + '.$html.'" | htmldoc --format pdf > '.$filename;
$cmd='/usr/bin/convert '.$docs.' '.$filename;
$cmd='HOME='.$dir.'; /usr/bin/libreoffice3.5 --headless -convert-to pdf --outdir '.$dir.' '.$file_org;
$cmd='wget -O '.$file_org.' "'.$url.'"';
$cmd='/opt/wkhtmltopdf/bin/wkhtmltopdf "'.$url.'" '.$paramaters;
$cmd='/usr/bin/php -q '.$worker.' '.$session_id.' >/dev/null &';
exec($cmd);

$cmd='sendfax -n -m -w -i '.$id.' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f "'.$from.'" -d "'.$to.'" '.$doc_list;
$cmd = "faxstat -s | grep \"^$jid \"";
$output = shell_exec($cmd);

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_USERAGENT, $_GET['user_agent'] ? $_GET['user_agent'] : $_SERVER['HTTP_USER_AGENT'] );
curl_setopt($ch,CURLOPT_POSTFIELDS,array('aaa'=>$aaa,'bbb'=>$bbb));
$result = curl_exec($ch);

If you don’t validate and/or escape the input values properly, anyone can execute arbitrary commands on your system in behalf of the user that runs PHP.

For command arguments, there is escapeshellarg. Make sure you escape the whole argument value, e.g.:

$cmd='echo '.escapeshellarg('html + '.$html).' | htmldoc --format pdf > '.escapeshellarg($filename);
$cmd='/usr/bin/convert '.escapeshellarg($docs).' '.escapeshellarg($filename);
// […]
$cmd='sendfax -n -m -w -i '.escapeshellarg($id).' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f '.escapeshellarg($from).' -d '.escapeshellarg($to).' '.escapeshellarg($doc_list);