This is a side-effect of PHP's weak typing; something's overzealously converting the string-that-looks-like-an-int to an integer during processing.

The JSON formatter then, quite correctly, outputs a formatted integer rather than a string. (You can verify this by slipping in a var_dump() on the request data in ApiFormatJson::execute(); the -100 is listed as an int, not a string.)

Note that while this means there's not a worry about security, one _can_ worry about it causing problems with use of the data in a more strongly-typed language, say Python, where ints and strings aren't freely interchangable.

Bryan.TongMinh wrote:

Fixed in r32820. It appears that PHP automatically converts array keys that look like integers to integers. I knew that PHP was weakly types, but this weakly typed...

russblau wrote:

This has raised its ugly head again. In the response to the following query --

http://en.wikipedia.org/w/api.php?action=query&prop=categoryinfo&titles=Category:X1&format=jsonfm

three of the four numeric values are quoted, but one is not.

"pageid": 18413500,

				"ns": 14,
				"title": "Category:X1",
				"categoryinfo": {
					"size": "8",
					"pages": 8,
					"files": "0",
					"subcats": "0"

These are numbers that are really numbers that are not being quoted, while some others are. I agree that this is inconsistent, but it's not invalid. Reclosing as FIXED because the unquoted things really are integers, not strings that happen to look like them.

Bryan.TongMinh wrote:

Those numbers refer to amounts, which are always numbers and should be ints and not strings.

russblau wrote:

But then the quoted values shouldn't be quoted. The current output format makes no sense.

(In reply to comment #7)

But then the quoted values shouldn't be quoted. The current output format
makes no sense.

I've converted all numeric values I could find to integers in r47865.