Google Blogoscoped

Forum

Google SQL-Like Injection

Justin Pfister [PersonRank 10]

Friday, November 3, 2006
16 years ago3,019 views

I did a search and Google outputs HTML code on the result screen, almost like you'd see with a SQL-Injection. I've had all my friends in the US see this, but Philipp (Germany) didn't. Try a search for this '*. (http://www.google.com/search?hl=en&q=%27*)
  
Here's a blog post of what I've seen :
http://blog.justinpfister.com/2006/11/google-sql-like-injection-query_03.cfm

Screen shot might make is easier:
http://blog.justinpfister.com/uploaded_images/google_sqllike_injection_2-709132.JPG

Kirby Witmer [PersonRank 10]

16 years ago #

did it for me and i'm in the US.

Justin Pfister [PersonRank 10]

16 years ago #

So you saw the HTML code which looks looks like this? : <a herf=http://froogle.google.com/froogle?q='*&hl=en&lr=&sa=X&oi=froogle&ct=title>Product search results for '*

Niraj Sanghvi [PersonRank 10]

16 years ago #

Did *not* do it for me and I'm in the US. Strange.

Philipp Lenssen [PersonRank 10]

16 years ago #

[I fixed the first link in Justin's post, there was a bracket added...]

Tony Ruscoe [PersonRank 10]

16 years ago #

Looks like this bug might be fixed now as I just get a "Product search results for *" link.

Justin Pfister [PersonRank 10]

16 years ago #

The issue is definately still there. I made this discovery at work and now that I'm home, I tried it again and it's still outputting HTML code.
  

Stephen Tordoff [PersonRank 10]

16 years ago #

Just tried it on .co.uk, and .com through a proxy server, both return correct output

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!