CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

create_function() — The Dynamic Code Smell

php PHP 4.0+ Intermediate

TL;DR

create_function() created anonymous functions from strings — deprecated PHP 7.2, removed PHP 8. It used eval() internally, risked code injection, and was always replaceable with proper closures.

Explanation

create_function('$x', 'return $x * 2;') compiled a string as PHP code using eval() under the hood. Problems: (1) RCE risk if any argument came from user input, (2) not analysable by static analysis, (3) worse performance than closures, (4) no IDE support. Deprecated PHP 7.2, removed PHP 8. Direct replacement: function($x) { return $x * 2; } or fn($x) => $x * 2. Rector handles the migration. It was a PHP 4 workaround — closures (PHP 5.3) made it completely obsolete.

Common Misconception

create_function() was only a performance issue — it was a security vulnerability (eval-based) and a static analysis blocker, not just slow.

Why It Matters

create_function() was removed in PHP 8 and generates deprecation warnings in PHP 7.2+. Beyond removal, it uses eval() internally — meaning the function body is a string that gets parsed at runtime, which is a code injection vector if any part of the string comes from user input. Every use case is better served by anonymous functions (closures), which are faster, statically analysable, and support proper variable capture via use().

Common Mistakes

  • Using create_function() with any user-controlled content — direct RCE.
  • Not using Rector to automate migration to closures.
  • Not knowing arrow functions (fn($x) => ...) are available as a cleaner alternative.

Code Examples

✗ Vulnerable 
// Deprecated + RCE risk if $code from user:
$fn = create_function('$x', 'return $x * 2;');

// Removed in PHP 8 — fatal error
✓ Fixed 
// Closure:
$fn = function($x) { return $x * 2; };

// Arrow function (PHP 7.4+):
$fn = fn($x) => $x * 2;
Added 23 Mar 2026
Views 19

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 2 pings S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Unknown AI 3 Perplexity 3 ChatGPT 1 Google 1 Ahrefs 1
Also referenced
preg_replace /e Modifier (Removed) 140 Eval Injection 29 Deprecation Notices & Migration Strategy 29 Anonymous Functions / Closures (PHP 5.3) 22
How they use it
crawler 15 pre-tracking 2
Related categories
php 6.6k security 4.2k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Replace create_function() with function(){} closures or fn() => arrow functions. Run Rector. Never pass user input to create_function().
📦 Applies To
PHP 4.0+ web cli
🔗 Prerequisites
🔍 Detection Hints
create_function\(
Auto-detectable: ✓ Yes rector phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: Line
CWE-95 CWE-74
✓ schema.org compliant