Solution:1
Why reinvent the wheel? Most developers rely on frameworks and templating engines for this. Consider using a proven solution such as Phalcon (and its Volt templating engine) rather than rolling your own.
Links for reference: phalconphp.com — Phalcon docs (Volt templating).
Quick notes & alternatives
Templating engines (Volt, Twig, Plates) are the safest and most maintainable way to process dynamic templates without eval().
If you must interpret PHP-like expressions from strings, prefer a sandboxed approach — e.g., run code in a separate process with strict permissions — instead of eval().
For limited parsing or analysis (not execution), token_get_all() can inspect PHP code safely without running it.
Avoid deprecated or insecure patterns like create_function() or unfiltered eval().