The database is the most valuable asset of any website. User profiles, passwords, orders, payment information, and other critical data are stored here. A database security breach not only halts site operation but also destroys user trust and can lead to legal consequences. For Sayt.uz customers, database security is an area requiring special attention, and we implement defensive layers at every stage.
SQL injection โ the most common attack
SQL injection is an attack where an attacker attempts to send malicious SQL code into the database through user input fields. For example, if entering "' OR '1'='1" instead of a password and the site directly inserts it into the SQL query, authentication can be broken. This attack allows downloading the entire user database, gaining admin rights, or deleting the entire database. In the OWASP Top 10 list, SQL injection has held top positions for years.
Parameterized queries (Prepared Statements)
The most effective protection against SQL injection is using parameterized queries or prepared statements. With this approach the SQL query structure and user data are sent separately, so any user input is not executed as SQL code. In PHP such queries are written using PDO or MySQLi. For example with PDO: $stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?"); $stmt->execute([$email]); โ no matter what text is in $email, it is accepted only as a value, not as code.
Input validation and sanitization
Beyond parameterized queries, validating user input is also important. Each input field should have clear rules: an email field only in email format, a phone field only digits, a name field only letters. In PHP, filter_var() performs many types of validation. Additionally, htmlspecialchars() protects against XSS attacks. This layered approach provides defense in depth โ if one layer is broken, another continues to protect.
Minimal user permissions
The user the site uses to connect to the database should have minimally necessary permissions. For websites, SELECT, INSERT, UPDATE, and DELETE are typically sufficient. CREATE TABLE and ALTER TABLE permissions are only needed during installation and can be removed afterward. High-level permissions like GRANT OPTION, SUPER, DROP DATABASE should never belong to a website user. This approach limits damage when SQL injection succeeds โ the attacker cannot DROP DATABASE or read other databases.
Encrypting sensitive data
Even with all protection layers, there is a possibility of database theft. Therefore sensitive data should be stored encrypted. Passwords should never be stored in plain text โ they must be hashed using bcrypt, Argon2, or at minimum PBKDF2. In PHP, password_hash() and password_verify() functions are designed exactly for this purpose. Credit card data and document numbers should be stored encrypted with AES-256.
Sayt.uz practice
On the Sayt.uz hosting network, database security is provided through a layered approach. A separate MySQL/MariaDB user is created for each customer with access only to their own databases. Direct connections from external IPs are blocked โ access is only via localhost. Automatic daily database backups are kept for 14 days. In the Database Security section of the customer dashboard, query statistics and suspicious activity for each database can be reviewed. Our security system automatically detects abnormal queries (large numbers of reads, bulk DELETEs) and notifies the customer.
Regular backups and monitoring
No protection is 100 percent, so regular backups and monitoring are essential. Daily automatic database backups stored in at least two different places (local server and cloud storage) are recommended. MySQL slow query log and general query log files help detect suspicious activity. Also regularly update the database server โ many security fixes come with updates.