{ "slug": "php5_create_function", "term": "create_function() — The Dynamic Code Smell", "category": "php", "difficulty": "intermediate", "short": "create_function() created anonymous functions from strings — deprecated PHP 7.2, removed PHP 8. It used eval() internally, risked code injection, and was always replaceable with proper closures.", "long": "create_function('$x', 'return $x * 2;') compiled a string as PHP code using eval() under the hood. Problems: (1) RCE risk if any argument came from user input, (2) not analysable by static analysis, (3) worse performance than closures, (4) no IDE support. Deprecated PHP 7.2, removed PHP 8. Direct replacement: function($x) { return $x * 2; } or fn($x) => $x * 2. Rector handles the migration. It was a PHP 4 workaround — closures (PHP 5.3) made it completely obsolete.", "aliases": [], "tags": [ "php", "history", "security", "eval", "create-function", "php8" ], "misconception": "create_function() was only a performance issue — it was a security vulnerability (eval-based) and a static analysis blocker, not just slow.", "why_it_matters": "create_function() was removed in PHP 8 and generates deprecation warnings in PHP 7.2+. Beyond removal, it uses eval() internally — meaning the function body is a string that gets parsed at runtime, which is a code injection vector if any part of the string comes from user input. Every use case is better served by anonymous functions (closures), which are faster, statically analysable, and support proper variable capture via use().", "common_mistakes": [ "Using create_function() with any user-controlled content — direct RCE.", "Not using Rector to automate migration to closures.", "Not knowing arrow functions (fn($x) => ...) are available as a cleaner alternative." ], "when_to_use": [], "avoid_when": [], "related": [ "php5_closures_intro", "php_preg_e_modifier", "eval_injection", "php_deprecation_notices" ], "prerequisites": [ "php5_closures_intro" ], "refs": [ "https://www.php.net/manual/en/function.create-function.php" ], "bad_code": "// Deprecated + RCE risk if $code from user:\n$fn = create_function('$x', 'return $x * 2;');\n\n// Removed in PHP 8 — fatal error", "good_code": "// Closure:\n$fn = function($x) { return $x * 2; };\n\n// Arrow function (PHP 7.4+):\n$fn = fn($x) => $x * 2;", "quick_fix": "Replace create_function() with function(){} closures or fn() => arrow functions. Run Rector. Never pass user input to create_function().", "severity": "critical", "effort": "low", "created": "2026-03-23", "updated": "2026-03-23", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/php5_create_function", "html_url": "https://codeclaritylab.com/glossary/php5_create_function", "json_url": "https://codeclaritylab.com/glossary/php5_create_function.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[create_function() — The Dynamic Code Smell](https://codeclaritylab.com/glossary/php5_create_function) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/php5_create_function" } } } }