Scenario:
user enters video url
php downloads video with exec( "youtube-dl " . escapeshellarg($url) );
Question:
Is it safe enough?
Thanks!
escapeshellarg prevents the shell from misinterpreting your command-line, so you're safe there. However, you're still passing in user input to youtube-dl. While this is not a security risk, it will fail in certain cases. You want to add -- to make sure that the user's input is a URL and not an option:
exec( "youtube-dl -- " . escapeshellarg($url) );
This will also fix problems where the "URL" starts with a dash. For example, -8F4YF_pH-4 is a valid YouTube video ID.