Is PHP's eval() function vulnerable to code injection when executing a string built from an array?

No, this is not vulnerable to PHP code injection.

The string passed to eval() is simply not user-controlled. There is no path from the source $_GET["cmd1"] to the sink eval():

• The argument to eval() is $cmd.
• $cmd is assembled from a fixed string and $params.
• $params is accumulated from a fixed string and $i.
• $i is an iteration variable that depends on the (fixed) length of the array $text.

That said, passing a generated array through eval is certainly not good style and you're obviously not sanitizing output which makes the code vulnerable to XSS.