disable_functions/classes is a great thing for sandboxing, but actually it is impossible to remember all the dangerous functions/classes.
Maybe you can also introduce whitelisting?
So all the features are disabled, and there is an enable_functions/class directive, maybe also with some predefined set of whitelists for stuff like "echo" and other basic non-dangerous functions?
disable_functions/classes is a great thing for sandboxing, but actually it is impossible to remember all the dangerous functions/classes. Maybe you can also introduce whitelisting? So all the features are disabled, and there is an enable_functions/class directive, maybe also with some predefined set of whitelists for stuff like "echo" and other basic non-dangerous functions?