Can't help thinking that something's playing fast-and-loose with parsing that query string -- if it looks like a number, it's a number, if it's quoted, then it's a string.

I wonder if there's any scope for misusing that parsing -- like, if the server is nodejs for example, throw a Javascript eval in there somehow...?
_________________________
-- roger