I want to allow users to create own apps with php on my webpage. The problem is they have access to some dangerous commands like
Don't. There is no way to do this safely.
PHP was not designed for this application. It has no way to filter function calls at runtime.
Filtering user-generated code is unlikely to be effective either. There are a lot of subtle ways to bypass all of the obvious approaches to filtering -- for instance, a function call can be concealed by using indirect function call syntax:
$fn = "system"; $fn("evil command");
or by using commands which you may not realize are equivalent to
eval, such as
create_function, or even
preg_exec in some versions of PHP.