Absolutely. The web application should be logging to the database as an unpriviledged user. Seems that by now most people have learned that running web services as root is a bad idea, but they still forget that they should also have an unpriviledged database user for them.