I have a page like this. User write an URL into a form and submit. Once the URL is submitted, I connect that page with CURL, search for a string. If it finds the string, it adds URL into our database. If not, it gives an error to user.

I sanitize URL with htmlspecialchars() also a regex to allow A-Z, 1-9, :/-. symbols. I also sanitize the content retrieved from other website with htmlspecialchars() also.

My question is, can they enter an URL like; www.evilwebsite.com/shell.exe or shell.txt

Would PHP run it, or simply look for the HTML output? Is it safe as it is or if not, what should I do?

Thank you.

Ps. allow_url_fopen is disabled. That's why I use curl.

I don't see why htmlspecialchars or a Regex would be necessary here, you don't need those. Also, there is no way that PHP will "automatically" parse the content retrieved using cURL. So yes, it is save (unless you do stuff like eval with the output).

However, when processing the retrieved content later, be aware that the input is user-provided and needs to be handled accordingly.

curl makes a request and to a server and the server sends back data. If there were an executable file on a web server you'd get back the binary of the file. Unless you write the file to your disk and execute it there should be no problem. Security in that sense should not be an issue.