A PHP extension to disable eval() and create_function().

phpize
./configure
make
sudo make install

Then add

extension=disableeval.so

to your php.ini.

• disableeval.enabled (boolean, default On): whether to enable the extension.
• disableeval.intercept_compile_string (boolean, default On): whether to use the zend_compile_string hook to detect the usage of eval().
• disableeval.aggressive (boolean, default Off): whether to react to all evaluated code (even the one generated by extensions or SAPIs). Works together with disableeval.intercept_compile_string.
• disableeval.mode (integer, default 1): what to do on a policy violation:
  • 1 (DISABLEEVAL_MODE_THROW): throw an ErrorException exception;
  • 2 (DISABLEEVAL_MODE_WARN): display a warning;
  • 3 (DISABLEEVAL_MODE_SCREAM): display a warning that cannot be suppressed with the @ operator;
  • 4 (DISABLEEVAL_MODE_BAILOUT): emit a fatal error and abort the script.

For security reasons, all options are PHP_INI_SYSTEM: that is, they can only be set in php.ini or httpd.conf.