Is the contents of $dberror text of HTML? You put both into it. At worst, this could be an opening for a cross-site scripting attack.