Yeah, there is danger: If database name comes from an untrusted source hackers could try to inject shell commands in the database name. For example:
$dbname = 'test; cat /etc/shadow';
might being used to obtain user names and encrypted passwords from the system (depends on the system)..
To avoid that, you should use escapeshellarg()
to quote the database name (and possible other arguments):
shell_exec('mysqldump ' . escapeshellarg($database_name));
set_time_limit()
isn't required if you are following my hints here
Needless to say, that you'll have to secure the page using login.