How to ensure the maximum level of data table security and its critical data using a database web user?

I wrote a PHP web application that is of course connected to MySQL database. Servers (Apache & PHP) are physically separated and protected by firewall. Between mentioned servers only communication through 3306 is possible while external users can access web application (server) only through internet using port 80 and 443. On the database server side, a schema ‘testprevozi’ has been created along with two data tables named ‘clan’ and ‘napacna_prijava’. There are also bunch of other data tables created here but are irrelevant for this discussion. Besides a general data stored in table ‘clan’ (name, username, address,…) the table contains very critical data of application users (username, password, application security settings…). And that table along with its general and critical data should remain hidden from anyone (except to a database user named ‘webupo’).

Mentioned PHP web application is of course using the table ‘user’ and it is one of the main data tables for application to run (user authentication and other procedures). Now, the question is how to ensure the maximum level of security of data table ‘user’ so there will be no theoretical and practical possibilies for unauthorized person through the internet using PHP web application to see or access the table data individually? The database user ‘webupo’ is only used for web application to communication with database and has the following rights (BTW: DELETE grant on `testprevozi`.`napacna_prijava’ is needed due to application requirement):

MySQL [testprevozi]> show grants for webupo;
| Grants for webupo@%                                                                                   |
| GRANT USAGE ON *.* TO 'webupo'@'%' IDENTIFIED BY PASSWORD '********' |
| GRANT SELECT, INSERT, UPDATE ON `testprevozi`.* TO 'webupo'@'%'                                       |
| GRANT DELETE ON `testprevozi`.`napacna_prijava` TO 'webupo'@'%'                                       |
3 rows in set (0.00 sec)

On the web application level I secured the database against SQL injections on each input field using the following function:

function ocisti_vnos_predSQL($data) {
    $data = trim($data); //Strip whitespace (or other characters) from the beginning and end of a string
    $data = stripslashes($data); // Un-quotes a quoted string
    $data = htmlspecialchars($data); //Convert special characters to HTML entities
    $data = filter_var($data, FILTER_SANITIZE_STRING); //strips or encodes unwanted characters
    return $data;

In your opinion, is there anything else I could do to ensure the highest level of data protection when external user accesses the database through written PHP web application? Any suggestions & comments are much appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ray PaseurCommented:
This is a great question, but it's impossible to answer it in a forum like this.  Information Security is a full-time four year college major at the University of Maryland, and you really need to know everything they teach and everything that will be needed to repel the threats that will arise during the four years you would be studying.  So while it can't be answered, we can still point you to some good organizations and learning resources.  If you study and become involved with the topic, you will find a number of unifying principles.

Join OWASP and support the group

Learn the principles of PHP Security

Choose a good web host

Keep abreast of the state of the art (this is old, but good)

As with most security considerations, the tradeoff is often between security and convenience.  Don't go too far out in the direction of security if it means that your user-experience will be damaged.  The links here will give you pretty good guidance, but you don't have to use all of them, by any means.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
MySQL Server

From novice to tech pro — start learning today.