PHP function to escape string for writing into executable PHP file

Question

I need to handle untrusted input that will be written into a file that is executed by the server, config.php, like this:

$config['key'] = "Value";

I want to make it so that the user can submit a form which will write config.php. It obviously makes more sense to store this value in a database, but I cannot do that because this is a legacy system.

I found the functions addslashes and serialize, but I'm not sure if they are safe for this use case. I also could use hex2bin/bin2hex I suppose.

Another hack I thought of was using HEREDOCs:

$x = <<<PASSWORD

untrusted input here" echo "BOOM!";

PASSWORD;

What is the best way to proceed in this situation if you cannot change how configuration variables are stored?

Answer 1

Base64 the content. Anything base64'ed can't possibly be valid PHP code