I want to allow users to add youtube videos using the provided <embed> code that youtube provides. Is there a way to make sure that users don't try to sqlinject or run other code that is not a youtube video?

In the stickies there is a section about security http://www.webmaster-talk.com/php-fo...rials-how.html

Take a look at the code behind:
http://mods.mybboard.net/view/youtube-tag

It's not 100% what you need, but essentially the code there takes the URL of the page were the content is located and generates the embed code.

You might not want to use the code YouTube provides. It doesn't validate, but if you rewrite it, it can still work.

I recently used this to allow people to paste the embed code into a field. It then extracted the YouTube ID code from the pasted code and re-created the HTML. Hope it helps and if anyone sees anything wrong with it, please let me know:

PHP Code:

<?php
list ($g,$code,$g) = explode('youtube.com/', $_POST['youtube']);
list($youtube_code,$g) = explode('"',$code);
$youtube_code = preg_replace('/[^a-z&\/=0-9]/i','',$youtube_code);
if (strlen($youtube_code) > 0) {
  $youtube_file_contents = '<object width="425" height="355"><param name="movie" value="http://www.youtube.com/'.$youtube_code.'"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/'.$youtube_code.'" type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></embed></object>';
}
?>

EDIT: I wrote that before I knew that strpos was faster. I don't know that that will be significant in this routine, however.