Need help ensuring my URL parse/extraction snippit is safe

schwim

Hi there everyone!

With the help of like 40 Stack Exchange search results and the PHP manual, I've managed to piece together a snippet of code that takes a Youtube URL and extracts the video code for database insertion. I get very nervous with things of this nature, simply because I know that malicious users know much more knowledgeable than I and I worry about using it in a manner it wasn't intended. Here's my code:

	function vidURL($url){	
		$scheme = parse_url($url, PHP_URL_SCHEME);
		$host = strtolower(parse_url($url, PHP_URL_HOST));
		if(substr($host, 0, 4) == 'www.'){
			$host = ltrim($host,"www.");
		}
		$user = parse_url($url, PHP_URL_USER);
		$pass = parse_url($url, PHP_URL_PASS);
		$path = parse_url($url, PHP_URL_PATH);
		$path = ltrim($path,"/");
		$query = parse_url($url, PHP_URL_QUERY);
		$fragment = parse_url($url, PHP_URL_FRAGMENT);

	/**************************************************/
	/**               START YOUTUBE                  **/
	/**************************************************/

	/* First, make sure we've got the right domain. */
	if($host == 'youtube.com'){
		/* Long YT link.  It will be a GET var. */
		parse_str("$query",$vidArray);
		if(ctype_alnum($vidArray['v'])){
			$embed_type = 'youtube';
			$vid_string = substr($vidArray['v'], 0, 11);
			$vidKey['a'] = $embed_type;
			$vidKey['b'] = $vid_string;
			return $vidKey;
		}
	}
	if($host == 'youtu.be' AND ctype_alnum($path)){
		/* Fancy new .be link.  It will be in the form of a path. */
		$embed_type = 'youtube';
		$vid_string = substr($path, 0, 11);
		$vidKey['a'] = $embed_type;
		$vidKey['b'] = $vid_string;
		return $vidKey;
	}

	/**************************************************/
	/**                 END YOUTUBE                  **/
	/**************************************************/

	if(!ISSET($embed_type)){
		$vidKey['a'] = 'FALSE';
		$vidKey['b'] = 'FALSE';
		return $vidKey;
	}
}

I've read a lot and have done a lot of things that was suggested during my reading, like keeping parse_str in an array format to keep from overwriting unintended vars, , restricted the code to 11 characters(I understand this can change later, but am trying to check against the string restrictions as they are now) and I've checked to make sure nothing but letters/numbers got passed.

I'm wondering if I'm missing something? If you were trying to handle this, is there something else you would check for?

I know that there's stuff in the code that doesn't apply to what I'm doing, but the snippet will eventually handle more video sources and I don't know what I'll need yet.

Thanks for your time!