Weird. Read this, taken from Webmaster Guidelines in Google's Webmaster Help Center:
<< Don't use "&id=" as a parameter in your URLs, as we don't include these pages in our index. >>
http://www.google.com/support/webmasters/bin/answer.py?answer=35769
So that's obviously not true then!
(BTW, for any sites using SQL Server it's much more likely to just throw an error instead of allowing you to use any SQL injection techniques as you'll get a data type mismatch.)
Anyway, I bet many sites using "id=" parameters allow you to access other people's data without even using SQL injection just because they've not added any security.
I've mentioned this and other security-related issues here:
Webmasters: Secure your code! http://ruscoe.net/blog/2006/05/webmasters-secure-your-code.asp
|
Just to clarify... when I said:
<< ... for any sites using SQL Server ... >>
I actually meant:
<< ... for any sites using SQL Server *Stored Procedures* ... >> |
Ahhh... now that makes more sense :) |
thats why i never use common terms like "id=" or "index=" in my urls. in fact, you should use mod_rewrite so that no variables appear in your urls.
|
Anonnie, but the information must be outdated (as IDs can be found). However, I agree it's better to replace parameters with htaccessified nice URLs... |
Am I just stupid, or is there no more source available to actually get the Google SQL injection tool? I can't find any link to download this thingy.
GreetZ
the wonderer |
The tool was never available, to prevent abuse I guess. |
Google updated their webmaster guidelines now to amend the cited "id" statement: http://googlewebmastercentral.blogspot.com/2006/10/update-to-our-webmaster-guidelines.html |
BTW, in reference to my comment above, Google have now removed that "id=" statement from their guidelines. From the Google Webmaster Central Blog:
<< As the web continues to change and evolve, our algorithms change right along with it. Recently, as a result of one of those algorithmic changes, we've modified our webmaster guidelines. Previously, these stated:
Don't use "&id=" as a parameter in your URLs, as we don't include these pages in our index.
However, we've recently removed that technical guideline, and now index URLs that contain that parameter. So if your site uses a dynamic structure that generates it, don't worry about rewriting it – we'll accept it just fine as is. >>
http://googlewebmastercentral.blogspot.com/2006/10/update-to-our-webmaster-guidelines.html |
Gee, what great timing for us to post on the same 1-month old thread the same minute! Now you got to tell me how *you* found this thread 'cause I had to go straight to the SQL database to locate it :) |
The same way I always find old forum posts... ;-)
[site:blog.outer-court.com/forum <search terms>]
i.e. [site:blog.outer-court.com/forum "id="]
http://www.google.com/search?q=site%3Ablog.outer-court.com%2Fforum+%22id%3D%22
Surprisingly, it was the 5th result!
And I know the "=" character isn't supported in the search term, but I added it just for good measure anyway... |
Update: I just checked my search history... I'd actually searched for:
[site:blog.outer-court.com/forum "id=" guidelines]
http://www.google.com/search?q=site:blog.outer-court.com/forum+%22id%3D%22+guidelines
And it was the top result. |
Weird, that result seems to be not yet visible via the Google web search API which I'm using here. Sigh. |
Actually Philipp, initally I started using your searchlet for looking up posts/fourm stuff. . but frankly I gave up and use the normal seachlet of goog's... maybe its time to create a CES just for blogoscoped.. :)_ |
That sucks. I've seen many inconsistencies between the indexes used on Google.com and their API. Why can't they just use the same index for everything? |
/pd – I just created one (out of interest) and it returns the same results but in a slightly different order.
Perhaps the weighting of the keyword "ashdufadhsfilusdhfiuasguighsdigsdf" affected the ordering...? |
> Actually Philipp, initally I started using your searchlet > for looking up posts/fourm stuff. . but frankly I gave up > and use the normal seachlet of goog's...
May I ask what features you found the site search here to be lacking, or anything else why you don't use it...? |