Last modified: 2009-02-27 16:04:21 UTC
When using JSON format only, with redirects=redirects, if a page title happens to be an integer, the title is not quoted as a string in the response but is sent as an integer.
This occurs, for example, in the response to http://en.wikipedia.org/w/api.php?action=query&titles=-100&prop=info&redirects=redirects&format=jsonfm
Note that in the response, the title -100 is not quoted in the redirects
"to": "100 BC"
However, in the XML response to http://en.wikipedia.org/w/api.php?action=query&titles=-100&prop=info&redirects=redirects, the title "-100" is quoted properly; also, in http://en.wikipedia.org/w/api.php?action=query&titles=-100&prop=info&format=jsonfm, where the redirect is not resolved, the title "-100" is quoted properly.
This is a side-effect of PHP's weak typing; something's overzealously converting the string-that-looks-like-an-int to an integer during processing.
The JSON formatter then, quite correctly, outputs a formatted integer rather than a string. (You can verify this by slipping in a var_dump() on the request data in ApiFormatJson::execute(); the -100 is listed as an int, not a string.)
Note that while this means there's not a worry about security, one _can_ worry about it causing problems with use of the data in a more strongly-typed language, say Python, where ints and strings aren't freely interchangable.
Fixed in r32820. It appears that PHP automatically converts array keys that look like integers to integers. I knew that PHP was weakly types, but this weakly typed...
This has raised its ugly head again. In the response to the following query --
three of the four numeric values are quoted, but one is not.
These are numbers that are really numbers that are not being quoted, while some others are. I agree that this is inconsistent, but it's not invalid. Reclosing as FIXED because the unquoted things really are integers, not strings that happen to look like them.
Those numbers refer to amounts, which are always numbers and should be ints and not strings.
But then the quoted values shouldn't be quoted. The current output format makes no sense.
(In reply to comment #7)
> But then the quoted values shouldn't be quoted. The current output format
> makes no sense.
I've converted all numeric values I could find to integers in r47865.