Online PHP Function(s){ #Test PHP functions online!; }


PHP Sandbox

Test your PHP code with this code tester

You can test your PHP code here on many php versions.

Your script:

Script loaded from database. Saved on 12/03/2012 08:13am by Stephan
Clear code


Run on PHP version:


This script works with a whitelist of functions. All functions that do not require disk, system or network access are whitelisted, others blacklisted. Max execution time is set to 3 seconds.

If you find a disabled function that should be whitelisted or if you run into other problems, please use the comments section below.




Tony @ 04/23/2013 12:02pm
The BC math functions do not work.
James Stone @ 04/03/2013 10:06am
This PHP Sandbox is very helpful to me, and you can disregard my last comment, my encryption algorithm had a few bugs in it, copy and pasting the encrypted code twice corrupts the code.
John @ 04/02/2013 09:56am
Security by obscurity, not a good idea. I can delete them for you, but I will need the keys.
James Stone @ 04/02/2013 09:38am
If you can... Can you please delete the database entries of the code created by me? I don't want anyone getting my encryption algorithm,
ionut @ 03/17/2013 12:29pm
Hello, why is parse_url() disabled ?
Muhammad Uzair Khan @ 02/28/2013 02:49am
Hi All,

Just wanted to appreciate this great work. Helps alot since it removes the need to setup php on our machine. Great work. Best thing, all calls handled via ajax which makes this pretty fast and easy. Really nice place to learn and test. Even pros will be getting much help
Jeroen @ 02/24/2013 08:21am
Hi Uyon,

thanks. You can find examples of every function on this website. The sandbox is simply to test some code.
Uyon @ 02/24/2013 03:13am
I'm a beginner of php, but the sandbox does give me lots of help, so thanks a lot. I believe it's going to be more powerful if you can combine some examples with the sandbox.
Jeroen @ 02/15/2013 06:47am
No, sorry, I won't share my code.
Zach Bimson @ 01/16/2013 09:25am
Hey, would you mind sharing your build code/html for the sandbox its self? id like to have a play with it! Thanks,
pinepain @ 01/04/2013 01:09am
get_class() has been disabled for security reasons ??? Is it really affect security.
Shishir @ 12/25/2012 05:11am
conver_uuencode() disabled ... it says it's disabled for security reasons.. anyone explain plz :/
John @ 12/20/2012 08:54am
Sure, its enabled. Thanks!
Vadim @ 12/20/2012 03:24am
func_get_args() is disabled. Could you please enable it?
Andy @ 10/19/2012 09:24am
Please, enable SimpleXMLElement for php5.3.0
Ismael Miguel @ 10/11/2012 06:15am
for the most of the work, yes...
i usually use this website to test my code at work, and at home...
this has been really handy to me...
this helped me a lot to create the most complicated and handy functions, and to test them...

you enabled those functions, but you forgot to add them here:
(is_string and gettype)
(trigger_error and error_reporting)

and you should put the zlib functions in a new category...
John @ 10/10/2012 04:04pm
Hi Ismael,

If you have any questions, please use the forum.

3 secs is more than enough to run most scripts, if it takes more time (on this website), you are running very complicated calculations or you have a loop somewhere. The way to detect a loop is simply by using a time limit. The script tells you on what line the script ended (try clicking on my name for an example).
Ismael Miguel @ 10/10/2012 03:47pm
Thank you a lot...

i am trying to develop some "weird" sql-like function to access array data...

and i noticed the changes, for a few seconds the code was returning weird chars...

i just sort of finished the 'drop' statement...

it's not well implemented, but will do the job...

by the way, you should set the timeout to 6 seconds, or allow to change between 3 and 6 seconds...

i don't know if it is possible, but that would be great!!!

but unfortunately, there is no way to check if you are doing an infinite loop or not...

and if you do:


this will make the code run forever, according to php page, the counter restarts, so, it's always at 0...

but you could try to create your own method to change the time only once and between 3 and 6 seconds...
John @ 10/10/2012 03:35pm
Hi Ismael,

Thanks for you comment! I enabled those functions.

Ismael Miguel @ 10/10/2012 02:54pm
functions that are safe and should be enabled:
error_reporting() //activates or not error reporting for that code, not on php.ini file
is_string() //this should NEVER have been blacklisted
gettype() //this only returns the type of a var (null, string, int, float...)
trigger_error() //pretty much a die() but specifies the error line and the type of error
Andy @ 09/14/2012 03:42pm
Would be good to have different SAPI: CGI(FASTCGI) and module.
John @ 08/29/2012 11:50am
Sorry Ismael, that is not the way to do it if you want it to be totally save.

You have to separate the code that users post totally to a save environment. I use a VPS to run the posted PHP code in a modified PHP environment. Block all outgoing ports, block all functions that handles the filesystem, and execute code as a jailed users with no permissions at all. Then return the output of the code to the main server and show it.
That is how this website works in a nutshell.  
Ismael @ 08/29/2012 09:32am
Use jquery...
then you use the post function...
and you try to create a file with the inputed code in the textarea, using a ftp connection...
or you can also give 1 file for each user, and when they upload the code, it will be always available for them to try the code...

then you make the page to return the url with the name of the new file...
and you use that url into a iframe...
i won't explain how to do it, but you can google for jquery and
John @ 07/15/2012 07:54am
thanks, I am enabling mb_convert_encoding now. For the imap functions the imap extension is required. I comes with some extra functions that I need to review first before I recompile all versions and enable it

thanks for your input. You are right, chr() is totally safe. I am removing it from the blacklist right now.
Harry @ 07/15/2012 06:32am
chr() has been blacklisted, but I don't see why?
Ameir @ 07/10/2012 05:40am
Can the functions mb_convert_encoding, imap_utf7_decode, and imap_utf7_encode be enabled?  Thanks for the awesome site!
John @ 05/08/2012 03:49pm
Hi Chris,
you can use disable functions and add all functions that can harm your system. And to be sure, run it on a vps. Thanks, John
Chris @ 05/07/2012 09:52pm
How did you manage to achieve this as I am trying to implement something like this for my website so that code contributors are able to upload their code to expand the features of the features engine but not affect the main running of the site by posting malicious code.

Post a comment

Your name:

Your email address:

Your website: (not required)


Code above:

      © 2015 | Disclaimer | Contact
      PHP versions: 5.6.2, 5.5.18, 5.5.5, 5.5.0.a6, 5.5.0.a.5, 5.5.0.a.2, 5.4.34, 5.4.21, 5.4.13, 5.4.12, 5.4.11, 5.4.10, 5.4.9, 5.4.8, 5.4.7, 5.4.6, 5.4.5, 5.4.4, 5.4.3, 5.4.2, 5.4.1, 5.4.0, 5.3.29, 5.3.27, 5.3.23, 5.3.22, 5.3.21, 5.3.20, 5.3.19, 5.3.18, 5.3.17, 5.3.16, 5.3.15, 5.3.14, 5.3.13, 5.3.12, 5.3.11, 5.3.10, 5.3.3, 5.3.2, 5.3.1, 5.3.0, 5.2.17, 5.2.16, 5.1.6, 5.1.5, 5.0.5, 5.0.4, 4.4.9