Google Blogoscoped

Forum

Googling for SQL Injections  (View post)

Tony Ruscoe [PersonRank 10]

Wednesday, September 27, 2006
17 years ago4,261 views

Weird. Read this, taken from Webmaster Guidelines in Google's Webmaster Help Center:

<< Don't use "&id=" as a parameter in your URLs, as we don't include these pages in our index. >>

http://www.google.com/support/webmasters/bin/answer.py?answer=35769

So that's obviously not true then!

(BTW, for any sites using SQL Server it's much more likely to just throw an error instead of allowing you to use any SQL injection techniques as you'll get a data type mismatch.)

Anyway, I bet many sites using "id=" parameters allow you to access other people's data without even using SQL injection just because they've not added any security.

I've mentioned this and other security-related issues here:

Webmasters: Secure your code!
http://ruscoe.net/blog/2006/05/webmasters-secure-your-code.asp

Tony Ruscoe [PersonRank 10]

17 years ago #

Just to clarify... when I said:

<< ... for any sites using SQL Server ... >>

I actually meant:

<< ... for any sites using SQL Server *Stored Procedures* ... >>

Philipp Lenssen [PersonRank 10]

17 years ago #

Ahhh... now that makes more sense :)

anonnie mouse [PersonRank 0]

17 years ago #

thats why i never use common terms like "id=" or "index=" in my urls. in fact, you should use mod_rewrite so that no variables appear in your urls.

Philipp Lenssen [PersonRank 10]

17 years ago #

Anonnie, but the information must be outdated (as IDs can be found). However, I agree it's better to replace parameters with htaccessified nice URLs...

Wonderer [PersonRank 0]

17 years ago #

Am I just stupid, or is there no more source available to actually get the Google SQL injection tool? I can't find any link to download this thingy.

GreetZ

the wonderer

Philipp Lenssen [PersonRank 10]

17 years ago #

The tool was never available, to prevent abuse I guess.

Philipp Lenssen [PersonRank 10]

17 years ago #

Google updated their webmaster guidelines now to amend the cited "id" statement:
http://googlewebmastercentral.blogspot.com/2006/10/update-to-our-webmaster-guidelines.html

Tony Ruscoe [PersonRank 10]

17 years ago #

BTW, in reference to my comment above, Google have now removed that "id=" statement from their guidelines. From the Google Webmaster Central Blog:

<< As the web continues to change and evolve, our algorithms change right along with it. Recently, as a result of one of those algorithmic changes, we've modified our webmaster guidelines. Previously, these stated:

   Don't use "&id=" as a parameter in your URLs, as we don't include these pages in our index.

However, we've recently removed that technical guideline, and now index URLs that contain that parameter. So if your site uses a dynamic structure that generates it, don't worry about rewriting it – we'll accept it just fine as is. >>

http://googlewebmastercentral.blogspot.com/2006/10/update-to-our-webmaster-guidelines.html

Philipp Lenssen [PersonRank 10]

17 years ago #

Gee, what great timing for us to post on the same 1-month old thread the same minute! Now you got to tell me how *you* found this thread 'cause I had to go straight to the SQL database to locate it :)

Tony Ruscoe [PersonRank 10]

17 years ago #

The same way I always find old forum posts... ;-)

[site:blog.outer-court.com/forum <search terms>]

i.e. [site:blog.outer-court.com/forum "id="]

http://www.google.com/search?q=site%3Ablog.outer-court.com%2Fforum+%22id%3D%22

Surprisingly, it was the 5th result!

And I know the "=" character isn't supported in the search term, but I added it just for good measure anyway...

Tony Ruscoe [PersonRank 10]

17 years ago #

Update: I just checked my search history... I'd actually searched for:

[site:blog.outer-court.com/forum "id=" guidelines]

http://www.google.com/search?q=site:blog.outer-court.com/forum+%22id%3D%22+guidelines

And it was the top result.

Philipp Lenssen [PersonRank 10]

17 years ago #

Weird, that result seems to be not yet visible via the Google web search API which I'm using here. Sigh.

/pd [PersonRank 10]

17 years ago #

Actually Philipp, initally I started using your searchlet for looking up posts/fourm stuff. . but frankly I gave up and use the normal seachlet of goog's... maybe its time to create a CES just for blogoscoped.. :)_

Tony Ruscoe [PersonRank 10]

17 years ago #

That sucks. I've seen many inconsistencies between the indexes used on Google.com and their API. Why can't they just use the same index for everything?

Tony Ruscoe [PersonRank 10]

17 years ago #

/pd – I just created one (out of interest) and it returns the same results but in a slightly different order.

Perhaps the weighting of the keyword "ashdufadhsfilusdhfiuasguighsdigsdf" affected the ordering...?

Philipp Lenssen [PersonRank 10]

17 years ago #

> Actually Philipp, initally I started using your searchlet
> for looking up posts/fourm stuff. . but frankly I gave up
> and use the normal seachlet of goog's...

May I ask what features you found the site search here to be lacking, or anything else why you don't use it...?

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!