Well, sure there are reasons not to show the user errors coming from mysql queries, but how am I supposed to debug problems when they happen if the user can only tell me that "An error has occurred"? What do you guys do?
Do you log all the errors separately and review them periodically? Or give the user a ticket number that's associated with an SQL error that the user can't see but is stored some place else with the ticket number as a key for you to review?
Seems like a lot of work.
And actually, even in those cases - you have to review the errors and you're likely to read them in a browser or a mail client, both of which would be vulnerable to XSS. So even if I don't show the user the message, should I not always do the HTML escape on it?