Database Security

Database security is critical — breaches expose sensitive user data. Learn SQL injection prevention, user privileges, encryption, and access control to protect production databases.

35 min•By Priygop Team•Last updated: Feb 2026

Security Best Practices

SQL Injection — Never concatenate user input into queries. Use parameterized queries / prepared statements always
Parameterized queries — PreparedStatement: SELECT * FROM users WHERE email = ? — the database treats input as data, never as SQL code
User privileges — GRANT SELECT ON products TO 'app_reader'. Principle of least privilege — apps get only needed permissions
REVOKE — Remove privileges: REVOKE DELETE ON orders FROM 'app_user'. Review permissions regularly
Encryption at rest — Encrypt sensitive columns (passwords, SSNs). Use bcrypt for passwords, never store plaintext
Encryption in transit — SSL/TLS for database connections. REQUIRE SSL for remote users
Audit logging — Track who changed what and when. Use triggers or database audit features

Security Code Examples

Example

-- SQL Injection vulnerability (NEVER DO THIS!)
-- query = "SELECT * FROM users WHERE email = '" + userInput + "'"
-- If userInput = "'; DROP TABLE users; --"
-- Result: SELECT * FROM users WHERE email = ''; DROP TABLE users; --'

-- Safe: Parameterized query (prepared statement)
-- Python: cursor.execute("SELECT * FROM users WHERE email = %s", (email,))
-- Node.js: db.query("SELECT * FROM users WHERE email = ?", [email])
-- Java: PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE email = ?");

-- User management
CREATE USER 'app_reader'@'localhost' IDENTIFIED BY 'strong_password_here';
GRANT SELECT ON mydb.products TO 'app_reader'@'localhost';
GRANT SELECT ON mydb.categories TO 'app_reader'@'localhost';

CREATE USER 'app_writer'@'localhost' IDENTIFIED BY 'another_strong_password';
GRANT SELECT, INSERT, UPDATE ON mydb.* TO 'app_writer'@'localhost';
-- No DELETE or DROP permissions!

-- View current user permissions
SHOW GRANTS FOR 'app_reader'@'localhost';

-- Revoke permissions
REVOKE INSERT ON mydb.* FROM 'app_writer'@'localhost';

-- Require SSL
ALTER USER 'remote_user'@'%' REQUIRE SSL;

Quick Quiz: Database Security

Security Best Practices

SQL Injection — Never concatenate user input into queries. Use parameterized queries / prepared statements always

Parameterized queries — PreparedStatement: SELECT * FROM users WHERE email = ? — the database treats input as data, never as SQL code

User privileges — GRANT SELECT ON products TO 'app_reader'. Principle of least privilege — apps get only needed permissions

REVOKE — Remove privileges: REVOKE DELETE ON orders FROM 'app_user'. Review permissions regularly

Encryption at rest — Encrypt sensitive columns (passwords, SSNs). Use bcrypt for passwords, never store plaintext

Encryption in transit — SSL/TLS for database connections. REQUIRE SSL for remote users

Audit logging — Track who changed what and when. Use triggers or database audit features

Security Code Examples

Example

-- SQL Injection vulnerability (NEVER DO THIS!)
-- query = "SELECT * FROM users WHERE email = '" + userInput + "'"
-- If userInput = "'; DROP TABLE users; --"
-- Result: SELECT * FROM users WHERE email = ''; DROP TABLE users; --'

-- Safe: Parameterized query (prepared statement)
-- Python: cursor.execute("SELECT * FROM users WHERE email = %s", (email,))
-- Node.js: db.query("SELECT * FROM users WHERE email = ?", [email])
-- Java: PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE email = ?");

-- User management
CREATE USER 'app_reader'@'localhost' IDENTIFIED BY 'strong_password_here';
GRANT SELECT ON mydb.products TO 'app_reader'@'localhost';
GRANT SELECT ON mydb.categories TO 'app_reader'@'localhost';

CREATE USER 'app_writer'@'localhost' IDENTIFIED BY 'another_strong_password';
GRANT SELECT, INSERT, UPDATE ON mydb.* TO 'app_writer'@'localhost';
-- No DELETE or DROP permissions!

-- View current user permissions
SHOW GRANTS FOR 'app_reader'@'localhost';

-- Revoke permissions
REVOKE INSERT ON mydb.* FROM 'app_writer'@'localhost';

-- Require SSL
ALTER USER 'remote_user'@'%' REQUIRE SSL;

Database Security

Security Best Practices

Security Code Examples

Quick Quiz: Database Security

Topics in This Module

Database Security

Security Best Practices

Security Code Examples

Quick Quiz: Database Security

Topics in This Module