XSS Through mysql_error()

Publicated on : 1195741122
This is clever.

Another great reason why displaying errors is bad practice. Luca wrote on his blog his findings when messing with mysql_error() and so it's possible to trigger cross site scripting when an SQL injection attempt gone wrong. Well, it also works when mysql_real_escape_string is used. Why? because some XSS vectors do not need single quotes to be launched properly. So this code below does not protect against it. Time to turn error reporting off, but we knew that.

Check it out: