Taking a quick look at it, I'd not recommend it. (Unless I'm missing something, which I don't I am) You put in: echo 'hello'; PHP: You get: eval(base64_decode("ZWNobyAnaGVsbG8nOw==")); PHP: You replace eval with echo: echo(base64_decode("ZWNobyAnaGVsbG8nOw==")); PHP: And you get: echo 'hello'; PHP: Back again to our original code, so I would not consider this secure in the slightest. You could also simply make your own version of this script with: if (isset($_POST['code'])) { echo 'eval(base64_decode("'.base64_encode ( $_POST['code'] ) . '"));'; } PHP: