Page MenuHomePhabricator
Create Task
Maniphest T184458

Floats are badly interpreted in SQL when locale is not English
Closed, DeclinedPublic
Actions

Description

When:

  • a float is used in a SQL function (e.g. Database::insert()) AND
  • wgShellLocale is not en_US.UTF-8 or C.UTF-8 but a locale with a comma as decimal separator (e.g. fr_FR.UTF-8)

Then the value is truncated to its integer part.

To reproduce it:
It happens that page_propos has a column with the type FLOAT, hence I use it for this example.
Use a test wiki for this example, it changes the database in a way MediaWiki could misfunction after.

  1. Set $wgShellLocale = 'fr_FR.UTF-8'; in LocalSettings.php
  2. Launch maintenance/eval.php with the commands:
$row = [ 'pp_page' => 1, 'pp_propname' => 'test', 'pp_value' => 'test', 'pp_sortkey' => 0.37 ];
$dbw = wfGetDB( DB_MASTER );
$dbw->insert( 'page_props', $row, __METHOD__ );
  1. In the database see that the value for pp_sortkey is 0.
  2. Delete the added line.
  3. Set $wgShellLocale = 'C.UTF-8'; in LocalSettings.php
  4. Re-do step 2
  5. In the database see that the value for pp_sortkey is 0.37.

I wrongly reported it as a PHP bug #69348, but real_escape_string() really wants a string as input parameter, hence a silent conversion float -> string is done with the current locale. An explicit conversion should be done using a fixed locale (C.UTF-8 I guess) or without locale if possible.

Related Objects

Event Timeline

Seb35 created this task.Jan 8 2018, 4:49 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 8 2018, 4:49 PM
Seb35 mentioned this in T181987: Thumbnails are broken (False decimal point in srcset when locale is not English).Jan 8 2018, 5:06 PM
Envlh subscribed.Jan 8 2018, 5:07 PM
Seb35 added a comment.Jan 8 2018, 10:59 PM

Searching on the Internet, a lot of people have this issue, either casting float to string (like here) or string to float. The best solution I found (the most generic one) is:

$localeinfo = localeconv();
$floatString = str_replace( $localeinfo['mon_decimal_point'], '.', $floatFloat );

Source: https://secure.php.net/manual/fr/function.floatval.php#92563

According to https://secure.php.net/manual/en/language.types.string.php the decimal point is used and there is no mention to other locale-aware parts (e.g. thousand separator), hence the code above is probably the most generic one.

Another solution is number_format where the separators can be specified, but you have to specify the precision, and I’m not sure the precision can be safely determined. It could be used the maximum precision (but perhaps dependent on the plateform) and then the zeros on the right removed, but I’m not sure it is safe and it’s probably slow.

238482n375 set Security to Software security bug.Jun 15 2018, 8:06 AM
238482n375 added a project: acl*security.
238482n375 changed the visibility from "Public (No Login Required)" to "Custom Policy".
238482n375 subscribed.
This comment was removed by Krinkle.
Aklapper removed a project: acl*security.Jun 15 2018, 1:29 PM
Aklapper changed the visibility from "Custom Policy" to "Public (No Login Required)".
Aklapper removed a subscriber: 238482n375.
Krinkle moved this task from Untriaged to Rdbms library on the MediaWiki-libs-Rdbms board.Jun 27 2019, 9:14 PM
Restricted Application added a project: acl*security. · View Herald TranscriptJun 27 2019, 9:14 PM
Krinkle subscribed.Jul 25 2019, 9:22 PM
Restricted Application added a project: Platform Engineering. · View Herald TranscriptJul 25 2019, 9:22 PM
Krinkle removed a project: Platform Engineering.Jul 25 2019, 9:40 PM
chasemp triaged this task as Low priority.Dec 9 2019, 5:11 PM
Krinkle closed this task as Declined.EditedDec 10 2019, 6:58 PM

As of MediaWiki 1.30, it is no longer supported to set wgShellLocale to something other than C.UTF-8 or equivalent with 8 character set and language-agnostic behaviour.

For localisation of the wiki, this setting does not need to be altered. MediaWiki has its own support systems for that. Including for example as used on Wikipedia. E.g. all language editions of Wikipedia as hosted by Wikimedia Foundation use $wgShellLocale = 'C.UTF-8';.

chasemp added a project: Security.Feb 10 2020, 11:00 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL