我理解您的担忧。即使对于受信任的来源，PHP也提供了比Web请求的整个环境所需的更多访问权限。即使脚本编写者是可信任的，即使他们只能通过脚本错误来伤害自己，更容易使用的脚本编写环境也更容易让您支持。

I understand your concern. Even for trusted sources, PHP provides more access than is necessary to the whole environment of the web request. Even if the scripters are trusted and even if they can only harm themselves with a scripting error, a more constrained scripting environment would be easier for them to use and easier for you to support.

你想要一些可以沙盒化的东西，它只能访问你明确分配给它的作用域的资源，并且在在游戏中玩运行时环境而不是在PHP自己的运行环境中执行。

You want something that can be sandboxed off, that can only access resources you explicitly assign to its scope, and that executes in a "play within a play" runtime environment rather than in PHP's own.

一种方法是对用户提交的脚本使用Web模板语言。这些提供了一定量的控制（例如变量赋值），并关闭其他选项，例如，您无法编写无限循环。我在Java应用程序中使用Velocity用于此目的;我认为像Smarty这样的东西可能适用于PHP，但我没有直接使用它来实现这一目的。

One approach is to use a web templating language for user-submitted scripts. These provide a certain amount of control (variable assignment for example), and close off other options, for example you can't write an infinite loop. I've used Velocity for this purpose in Java applications; I think something like Smarty might work in PHP, but I don't have direct experience of using it for that purpose.

另一种方法，如果脚本需要做的是受域限制，则实现域特定语言（DSL）。我在这个答案中提到过。

Another approach, if what the scripts are required to do is constrained by the domain, is to implement a Domain Specific Language (DSL). I mentioned that in this answer.

除此之外，我不知道脚本语言的任何纯PHP实现。这是我自己感兴趣的东西。

Apart from that, I don't know of any pure-PHP implementations of scripting languages. It's something I'd be interested in myself.