By escaping the command string, the attacker can inject extra parameters into the sendmail command.
?>