I know that eval is the function in PHP to execute PHP code from an input. Now I want to make a W3Schools like editor. What can I do to protect eval code that I get from POST variable.
$code = eval($_POST["phpusercode"]);
echo $code;
What I want to do is when a user will make a function like this
I want to give user the ability to write his own PHP code on my site without making my website vulnerable to some sort of hacking.
eval evaluates code, so, as @sectus says in comments, execute the code
For example:
eval ("echo 'Hello user'"); //This will execute echo 'Hello user'
So, in your case i think you don't want to execute your user code, so please carify your question and update it.
IMPORTANT:
eval is highly discouragedeval with params by POST/GET without sanitize themUseful links: