Crossite scripting is possible if mysql_error() result is used in application output.
vulners.com/securityvulns/securityvulns:doc:14369