You can't really figure out when user code is malicious, and escaping won't work here b/c the input itself must be evaluated. IDK how it's implemented, my guess is that it's running on a sandboxed server (eg has memory/processor/duration thresholds set, which will kill the program if you exceed them, has abusable features like http and system commands disabled). The comment about session_id would support this hypothesis. There are other options, though. I've done things like this by shipping them off to eval.in, which does its own sandboxing. You could also compile php to web assembly and run it in the user's browser (guessing this would take quite a bit of work, but it should be possible).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
You can't really figure out when user code is malicious, and escaping won't work here b/c the input itself must be evaluated. IDK how it's implemented, my guess is that it's running on a sandboxed server (eg has memory/processor/duration thresholds set, which will kill the program if you exceed them, has abusable features like http and system commands disabled). The comment about
session_idwould support this hypothesis. There are other options, though. I've done things like this by shipping them off to eval.in, which does its own sandboxing. You could also compile php to web assembly and run it in the user's browser (guessing this would take quite a bit of work, but it should be possible).