How to ensure the maximum level of data table security and its critical data using a database web user?

I wrote a PHP web application that is of course connected to MySQL database. Servers (Apache & PHP) are physically separated and protected by firewall. Between mentioned servers only communication through 3306 is possible while external users can access web application (server) only through internet using port 80 and 443. On the database server side, a schema ‘testprevozi’ has been created along with two data tables named ‘clan’ and ‘napacna_prijava’. There are also bunch of other data tables created here but are irrelevant for this discussion. Besides a general data stored in table ‘clan’ (name, username, address,…) the table contains very critical data of application users (username, password, application security settings…). And that table along with its general and critical data should remain hidden from anyone (except to a database user named ‘webupo’).

Mentioned PHP web application is of course using the table ‘user’ and it is one of the main data tables for application to run (user authentication and other procedures). Now, the question is how to ensure the maximum level of security of data table ‘user’ so there will be no theoretical and practical possibilies for unauthorized person through the internet using PHP web application to see or access the table data individually? The database user ‘webupo’ is only used for web application to communication with database and has the following rights (BTW: DELETE grant on `testprevozi`.`napacna_prijava’ is needed due to application requirement):

MySQL [testprevozi]> show grants for webupo;
+-------------------------------------------------------------------------------------------------------+
| Grants for webupo@%                                                                                   |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'webupo'@'%' IDENTIFIED BY PASSWORD '********' |
| GRANT SELECT, INSERT, UPDATE ON `testprevozi`.* TO 'webupo'@'%'                                       |
| GRANT DELETE ON `testprevozi`.`napacna_prijava` TO 'webupo'@'%'                                       |
+-------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)


On the web application level I secured the database against SQL injections on each input field using the following function:

function ocisti_vnos_predSQL($data) {
    $data = trim($data); //Strip whitespace (or other characters) from the beginning and end of a string
    $data = stripslashes($data); // Un-quotes a quoted string
    $data = htmlspecialchars($data); //Convert special characters to HTML entities
    $data = filter_var($data, FILTER_SANITIZE_STRING); //strips or encodes unwanted characters
    return $data;
}

In your opinion, is there anything else I could do to ensure the highest level of data protection when external user accesses the database through written PHP web application? Any suggestions & comments are much appreciated.
JanjaNovakAsked:
Who is Participating?
 
Ray PaseurCommented:
This is a great question, but it's impossible to answer it in a forum like this.  Information Security is a full-time four year college major at the University of Maryland, and you really need to know everything they teach and everything that will be needed to repel the threats that will arise during the four years you would be studying.  So while it can't be answered, we can still point you to some good organizations and learning resources.  If you study and become involved with the topic, you will find a number of unifying principles.

Join OWASP and support the group
https://www.owasp.org/index.php/Main_Page

Learn the principles of PHP Security
http://php.net/manual/en/security.php

Choose a good web host
http://php.net/thanks.php

Keep abreast of the state of the art (this is old, but good)
http://www.sitepoint.com/php-security-blunders/
http://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html

As with most security considerations, the tradeoff is often between security and convenience.  Don't go too far out in the direction of security if it means that your user-experience will be damaged.  The links here will give you pretty good guidance, but you don't have to use all of them, by any means.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.