create-function

I am using create_function to run some user-code at server end. I am looking for any of these two: Is there a way to sanitize the code passed to it to prevent something harmful from executing? Alternately, is there a way to specify this code to be run in a sandboxed environment so that the user can't play around with anything else. Thanks! http://php.net/runkit You could use the tonkenizer to figure out what the code will do, then whitelist certain functions and operations. I think it would end up being very difficult (or impossible) to make it foolproof, especially given PHP's flexibility: $f