> [ ] Use minimal privilege for the database access user account. Don’t use the database root account.
This advice seems outdated. In general, every significant security breach will get the attacker root access. Playing games with database accounts gets you no security at all, while introducing lots of friction and headache.
Sorry, you don't throw away mitigation techniques because they aren't foolproof. This is still excellent advice. Stop using sa and root accounts for your apps.
I agree with Spydum. The reason I agree is - Layers of security are required. You should not use a root account for your web application. You should also use escaping, properly formed queries, and prepared statements. You use best practices in an orderly manner and you will be much safer than just picking one "silver bullet". Not every attack provides root access to the database or server. Why make it easier for folks? Least privilege is a viable tool in your bag.
Significant breach in the context of web development is usually logic error that leads to unauthorized application-level access, leaking cookies, service unavailability etc.
This is however not the most likely thing to go wrong, in general. Topping the charts is as always, the one and only, User Error!
Restricting db access is the last line of defense against accidentally DROP-ing TABLE in production.
> [ ] Use minimal privilege for the database access user account. Don’t use the database root account.
This advice seems outdated. In general, every significant security breach will get the attacker root access. Playing games with database accounts gets you no security at all, while introducing lots of friction and headache.