Is this safe to display MySQL query error in webpage if something went wrong?

End users should never get to see the gory details of your environment.

Instead it is more professional to show a generic 'Sorry something went wrong' page. At least visitors can see that you have a real error handling mechanism present on your website.

However those errors should be written to the mysql error log and should also trigger a notification by E-mail or otherwise to the IT team. Those errors should not happen so it can be a sign that your site is failing or is possibly under attack.


No it is definitely not safe because it creates additional SQL injection attack vectors not present otherwise. Example: If you have an SQL injection flow in an insert then this is some kind of "blind" injection because the insert doesn't report back any result rows to the caller. But if you bring a potential insert error message back to the client then you make this vulnerable to the so-called "XPath" injection (see this paper for details). The essence is that you inject an xml function that is supposed to compute a variable of data type xml. One of the function's arguments is an xpath variable which can again be computed by select statements and string concatenation. Instead of providing a valid xpath you do a select (E.g. "select password_hash from users where id='admin'"). So the DB will execute an INSERT that is purposefully wrong through your injection. The result will be an error message like

'bb9af55cd325deaa89bb7b4e36085b4d' is not a valid xpath

If you display error messages like these to the caller this can be used to basically enumerate the DB. I have seen this happening recently. The error message was cut to 30 characters and it was only possible to select one column and one row at a time but still possible to enumerate the entire DB with it.


Others have rightfully touched on why MySQL details should not be exposed via the main user interface of a website/application on a production server.

But there is a broader, much more high level issue in play when you display errors to an end user like this:

It basically telegraphs the idea that the server/site is badly managed.

Meaning you are a riper target for hacking not because of the content of the details but because the details have been exposed to begin with.

Your attitude as an application developer—systems administrator and such—is to make your final product can fail gracefully in some way that does not expose the “bones” of the system’s architecture yet still somehow convey some useful debugging data to you.