Subject Re: Web application with Firebird 3 and SaaS
We have over 50 web applications using PHP & Firebird on Apache 2 web servers.  Some are deployed to be public facing Internet apps and others are private.  I've been developing these applications on Firebird SQL since about 2006.  They are reliable, fast and scale very well.

That said, there are many lessons you will learn in doing this - how to setup your FB database config settings for optimal use based on a lot of small, non-persistent connections that will come in via the Internet.  You will need to know how to properly configure Apache as well.   The issues you will also face is that PHP support for FB versions are not parallel with the FB version rollouts.  For example, you *might* be able to get PHP to work with FB v3 but I've not had as much luck with this.  We compile our PHP from source, to build in support for the fbclient libraries that are provided at the Linux OS level, and you need to find the right mix of 32/64 bit drivers, FB versions, PHP versions that are compatible and finally your web server that will manage it all.  This may take you some time to find the blend.  You may be able to use PDO for this, but we use native ibase_* calls.

Also if you are a PHP developer, you are likely to use a framework for this, since developing all the code to support a MVC model is likely to be time consuming and to introduce security vulnerabilities into the mix.  You must also consider your framework and how it may work with Firebird.  The thing is that 99% of all PHP applications that use databases assume MySQL (the LAMP stack abbreviation has the M = MySQL).  So you will need to find a way to replace out MySQL for Firebird.  

One technique we use is that all access to the database is done through stored procedures.  Not only does this ensure that your queries are (for the most part) pre-compiled for high performance, but it allows you to implement some additional security checking here.  I can't stress enough about the importance of security.  A workgroup/client-server application such as one developed in Delphi does not typically expose itself to the world, but your Internet app does.  How do you mitigate a DDOS attack?  How do you handle CSS forgery?  How do you handle SQL Injection attacks?  If you don't have a strategy for this done up front, you will create a really nice attack surface for exploitation.  I'd say 9 out of 10 new PHP developers do this unwittingly and learn the hard way.  Don't be part of the statistic.  Learn security before you learn code.

Otherwise if you get all of this working correctly, you will be rewarded with a fast, reliable and scalable solution.  The community here are super helpful as you go through the process to learn to optimize queries, etc. but don't underestimate the barriers to entry here.  They require you to learn a lot, and yet this is one of those situations where (from my own personal experience) the return on that learning is huge.

Good luck.