php-disable-eval

A PHP extension to disable eval() and create_function().

Installation

phpize
./configure
make
sudo make install

Then add

extension=disableeval.so

to your php.ini.

Configuration Options (php.ini)

• disableeval.enabled (boolean, default On): whether to enable the extension.
• disableeval.disallow_assert (boolean, default On): whether to disallow assert() with a string argument (PHP 7 only).
• disableeval.intercept_compile_string (boolean, default On): whether to use the zend_compile_string hook to detect the usage of eval(). If this optoin is disabled, the extension will not be able to catch mb_ereg_replace/mb_eregi_replace with the e flag in PHP 7.
• disableeval.aggressive (boolean, default Off): whether to react to all evaluated code (even the one generated by extensions or SAPIs). Works together with disableeval.intercept_compile_string.
• disableeval.mode (integer, default 1): what to do on a policy violation:
  • 1 (DISABLEEVAL_MODE_THROW): throw an ErrorException exception;
  • 2 (DISABLEEVAL_MODE_WARN): display a warning;
  • 3 (DISABLEEVAL_MODE_SCREAM): display a warning that cannot be suppressed with the @ operator;
  • 4 (DISABLEEVAL_MODE_BAILOUT): emit a fatal error and abort the script.

For security reasons, all options are PHP_INI_SYSTEM: that is, they can only be set in php.ini or httpd.conf.