query string in php

This code have some problem of Security? is a correct way to make a query string ?

I don't usually use this type of code, so my question.

 <?php
    $id = $_REQUE开发者_如何学编程ST['id'];
    ?>
    <?
    switch($id) {

        case "principal":
            $pagina = "pag.php";
            break;
        case "perfil":
            $pagina = "secure.php";
            break;

        default:
            $pagina = "home.php";
            break;
    }
    ?>

    <?
    if( (isset($pagina)) and (file_exists($pagina)) ) {
        include($pagina);
    } else {
        echo "Page error";
    }
    ?>

If your select statement gets big i'd recommend using arrays:

// array of pages
$paginas = array(
    'principal' => 'pag.php',
    'perfil' => 'secure.php'
);

$id = (int)$_GET['id'];

if ( isset( $paginas[$id] ) && file_exists($paginas[$id]) ) {
    require( $paginas[$id] );
}
else {
    require('home.php');
}

The only possible problem is that if you're getting ID from the $_REQUEST, someone could change your query by putting ?id=x in the URL string. It might not matter in your case (tough to say since we don't know the full context of what's going on) but it's a possibility. You could make it a bit more secure by sending the variable to the page via a $_POST, which is hidden to the user.

An intruder could guess the id from secure.php and access it by entering yourpage.php?id=perfil in his browser...

You have a handler for every situation involving $id so it should be safe. You also don't need this since $pagina will always be set: (isset($pagina))

I'd add some htmlspecialchars to that. You'll never know what people could try doing!

If you wanted to be "doubley" sure, then you could always do;

filter_var($val, FILTER_SANITIZE_STRING);