PHP safe $_GET or not

Question

We have url:

http://site.com/index.php?action=show

$_GET['action'] is used in templates to check value of ?action=:

switch ($_GET['action']) {
    case = "show" {
        $match_show = true;
    }
}

and in other place:

echo $_GET['action'];

Is it absolutely safe to use this constructions?

How to make them safe?

Thanks.

Answer 1

The switch thing is okay, because you are comparing against a hard-coded value (however, it's case "show": btw).

As @Bruce mentions in the comments, you should add a default: case as well to catch values that are not on the list, or empty values:

switch ($_GET['action']) {

    case "show":
        $match_show = true;
        break;

    default: 
        // value is not on the list. React accordingly.
        echo "Unknown value for 'action'". 

}

The second thing is potentially dangerous, as it would be possible to inject HTML and more importantly, JavaScript into the document body. You should apply a htmlspecialchars() on the variable before echoing it.