How to prevent file system manipulation by an User

Realistically, no. The security implications of running a service such as this where you would execute untrusted third party code is something that requires a lot of technical planning and infrastructure.

To understand the magnitude of the problem, there is a company that provides such a service (ideone.com, no affiliation). It's parent company Sphere Engine offers this as a service to run untrusted code in a secure environment.

Especially running on Heroku, your service would likely give you a lot of headache if it were to be maliciously used (e.g. sending bulk SPAM using PHP's mail(), targeting other users via DoS using PHP's CuRL). These problems would extend past just one user deleting files of another user and would likely get you banned from Heroku. A malicious actor can and will figure out ways around your system.

--

To take this a step further, let's consider what you theoretically would need to do to accomplish such a task.

You would begin by using something like Docker, a container that essentially runs like an operating system. You would need to configure the environment so that code running on the container has no internet access, is limited in CPU time, and is destroyed after each code execution.

Every time a user submits code, you would essentially copy the code into the container and allow the code to run. You would then be able to capture the output of the container and return that to the user.

This is a very rough outline of what you would need to accomplish this.

You can use "open_basedir" PHP setting and wrapp fiddle execution in something like:

ini_set('open_basedir', './fiddle');include('fiddle/fiddle.php');

It will forbid fiddles to access file system outside of their folder.