I was recently tasked with assessing vulnerabilities on some of my companies database servers and the applications that connect to them. I have been asked as part of the documentation to provide a list of best practices. We are a small shop that has not had a set standards or security policy so this is new.
Here is what I have so far, let me know what I can add or what you use.
1. Only display essential data on web pages.
2. Make sure that application users and connections have bare minimum rights on the database server.
3. Sanitize data that is freely input by users.
4. Use prepared statements to send precompiled SQL statements.
5. Never allow client supplied data to modify the syntax of SQL statements.
6. Isolate the web application from SQL altogether.
I really appreciate any input!