[steebchen]

If you actually use this search parameter, it is indeed someone injecting some information to steal your search rankings for their own good. They can just arbitrarily generate this and add links to other sites, so Google will eventually index it. To prevent this abuse, you could return an HTTP error code when the search result is longer than X characters, includes braces, and so forth.

If you don't use any search parameter or they don't use the one you are using, I would recommend adding a [canonical meta tag](https://en.wikipedia.org/wiki/Canonical_link_element) which signals to Google that only a specific version of a site is the source of truth. For example, adding a canonical by removing the query string from the current URL, example.com/page?foo=bar and example.com/page would have set the canonical value to example.com/page. So even if people link to specific parts which includes an arbitrary query string, Google will only index the one you specify without the query string, and these links you mentioned will not do anything (except potentially showing up once or twice in your analytics software).