$_GET['user'] security vulnerability in PHP?
If used only in the context, there's no way to execute malicious code from the user input.
Its not possible to just execute arbitrary code by being able to alter a string. Only when you output the string directly, or use it in SQL should you be really worried.
Related Questions
Security vulnerability domains from user input, other than SQL statements?
Should I still escape? $_GET and XSS, SQL Injection and other PHP Security Concerns?
Number from $_GET not being read into simplexml xpath query using php?
Htaccess rewrite PHP $_GET multiple pages?
Set $_GET['foo'] variable when calling a PHP script on CLI?
Php and $_GET array?