If you have legitimate URLs with pk and id (e.g., a legacy internal tool), ask Google not to index them.

// Secure code (pseudocode): $id = $_GET['id']; if (user_session->getUserId() != $id) die("Access Denied");

Script kiddies use the same search to find thousands of potential victims for automated SQL injection tools like sqlmap .