shellcode – shell injection using only [alphanumeric, dashes, colon, period]

I found a html form with only one input field, where the text entered is used as argument (or rather as the last part) of a ping on the server.
When submitting the form, the following command is executed:

/ bin / ping -c 3 INPUT_TEXT

It feels horribly dangerous [read: interesting] so I started playing with it to see if I could inject code.

There are however some restrictions (controlled by PHP). The server will not accept any entry containing characters other than those expected for a ping:

No blanks, no 'no', no special characters.
Handling the publication request itself does not solve the problem.

Is there a way to incorporate something of interest into a shell command using only these available characters?