I recently found out about shell injection and I have codes that executes user inputs in shell environment I need to sanitize the input so that there is no backticks or other malicious strings. Is it enough to use str_replace() and remove them?
Please check link below How to prevent code injection attacks in PHP?
you have plenty ways to achieve what you want. As you said "str_replace" can do the job. You can also use regex like
$Content = preg_replace("/&#?[a-z0-9]+;/i","",$Content);
Also you can use php_filters to validate inputs.