[geofft]

How is Google supposed to check for what is/isn't "sqli"? The proposal reminds me of Yahoo! Mail's old "medireview" problem, where it filtered emails containing the string "eval":

http://en.wikipedia.org/wiki/Medireview#Blocked_emails

Even if you look for somewhat complete SQL strings, if I want to host http://try-sql-in-your-browser.io/?sql=select+foo+from+bar, I'd want Google to index it.

[AYBABTME]

Well for one, we could make a standard query value that would say whether or not, the URL is evil.

http://try-sql-in-your-browser.io/?evil=true

It works well for IPv4.

[mikeash]

For a hilarious variant trying to protect against "attacks" on humans, use your favorite search engine to search for "buttbuttination".

[hobs]

Awesome, I had seen a few things in the wild like this, but this ended up in some fun reading. Thanks!