If you can figure out a way to use call() you're home free
call("talk","hello world");
Don't do call("eval", ...); as that's no better than what you've got.
Otherwise, just remove any ; ( ) @ $ or % you don't want before calling eval()
Are those the ONLY characters I have to watch out for?
This was also suggested over steam to me;
god no.
Remove literally every character that ISNT ABSOLUTELY NECCESSary
Seriously just whitelist the stuff (for each character in string, if it isn't one of these, return false and ABORT or just remove it)