CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

create_function() — The Dynamic Code Smell

PHP PHP 4.0+ Intermediate
debt(d3/e3/b3/t7)
d3 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'default linter catches the common case' (d3). The term's detection_hints list Rector and phpcs, both widely used in PHP projects. The code_pattern `create_function\(` is a straightforward regex match that phpcs/Rector catch automatically, and PHP 7.2+ itself emits deprecation warnings at runtime. This places it at d3 — common tooling catches it without specialist configuration.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix (replace pattern with safer alternative)' (e3). The quick_fix explicitly says to replace with `function(){}` closures or `fn()` arrow functions and to run Rector, which automates the migration. This is a small, mechanical refactor — Rector handles most cases automatically, but a human must verify variable capture semantics and ensure no user input was involved. Slightly above e1 because variable capture (use() clauses) may require manual review.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to scope covers web and cli contexts broadly, but create_function() is typically a call-site smell rather than a load-bearing architectural choice. Each occurrence is an isolated liability; there is no systemic pull on the rest of the codebase. The burden is per-use-site rather than cross-cutting, keeping it at b3.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap (contradicts how a similar concept works elsewhere)' (t7). The misconception field states explicitly that developers typically think this is only a performance issue, when in fact it is an eval-based code injection vector (potential RCE) and a static analysis blocker. A competent developer migrating from older PHP or coming from another dynamic language would naturally assume a 'function factory' helper is merely a convenience or performance concern — the security implication is non-obvious and contradicts the benign naming.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-11 · reviewed by human

TL;DR

create_function() created anonymous functions from strings — deprecated PHP 7.2, removed PHP 8. It used eval() internally, risked code injection, and was always replaceable with proper closures.

Explanation

create_function('$x', 'return $x * 2;') compiled a string as PHP code using eval() under the hood. Problems: (1) RCE risk if any argument came from user input, (2) not analysable by static analysis, (3) worse performance than closures, (4) no IDE support. Deprecated PHP 7.2, removed PHP 8. Direct replacement: function($x) { return $x * 2; } or fn($x) => $x * 2. Rector handles the migration. It was a PHP 4 workaround — closures (PHP 5.3) made it completely obsolete.

Common Misconception

create_function() was only a performance issue — it was a security vulnerability (eval-based) and a static analysis blocker, not just slow.

Why It Matters

create_function() was removed in PHP 8 and generates deprecation warnings in PHP 7.2+. Beyond removal, it uses eval() internally — meaning the function body is a string that gets parsed at runtime, which is a code injection vector if any part of the string comes from user input. Every use case is better served by anonymous functions (closures), which are faster, statically analysable, and support proper variable capture via use().

Common Mistakes

  • Using create_function() with any user-controlled content — direct RCE.
  • Not using Rector to automate migration to closures.
  • Not knowing arrow functions (fn($x) => ...) are available as a cleaner alternative.

Code Examples

✗ Vulnerable 
// Deprecated + RCE risk if $code from user:
$fn = create_function('$x', 'return $x * 2;');

// Removed in PHP 8 — fatal error
✓ Fixed 
// Closure:
$fn = function($x) { return $x * 2; };

// Arrow function (PHP 7.4+):
$fn = fn($x) => $x * 2;
Added 23 Mar 2026
Views 48

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 2 pings T 3 pings F 1 ping S 2 pings S 3 pings M 1 ping T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 10 Scrapy 9 Unknown AI 3 Google 3 Perplexity 3 Ahrefs 3 SEMrush 3 Claude 2 ChatGPT 1 Meta AI 1 Majestic 1
Also referenced
preg_replace /e Modifier (Removed) 170 Deprecation Notices & Migration Strategy 66 Eval Injection 59 Anonymous Functions / Closures (PHP 5.3) 46
How they use it
crawler 35 crawler_json 2 pre-tracking 2
Related categories
php 13k security 7.8k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Replace create_function() with function(){} closures or fn() => arrow functions. Run Rector. Never pass user input to create_function().
📦 Applies To
PHP 4.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
create_function\(
Auto-detectable: ✓ Yes rector phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-95 CWE-74
✓ schema.org compliant