Don’t make assumptions about the program’s operating environment. Instead, set the environment variables (such as PATH on UNIX) within your program or use complete path names.
This is because if you don’t, the intruder may be able to redirect executing a system command specified in your program to executing the Trojan horse program (command) instead that they manipulated to upload to your server.