Any data and queries can be set up or retrieved in the form of dictionaries (combined with arrays). For easy transport via HTTP, those dictionaries can be converted from/to JSON.
Such a request could be a dictionary with some "action" field containing the basic action to perform. The second field could be a "params" which contains a dictionary with required query params (user name or similar). For updating data you could also add a "rows" field which is an array of dictionaries containing one or multiple data records.
The server return will be another JSON-> dictionary which could contain some field "result" (containing "OK" or an Error message) and also a "rows" variable.
How to do HTTP in Godot is roughly explained here:
You'll want to do a POST for transmitting data. Which will also return data back from the server.
The server can be any HTTP server (i.e. apache) software. Using i.e. a PHP-script it is very easy to listen to http requests, decode the JSON data, query a MySQL/MariaDB Database and send the answer back in JSON. There are tons of examples in the web. Here's one: https://www.opentechguides.com/how-to/article/php/100/mysql-to-json.html
Essentially, you create a textfile like "gamedata.php" containing the php code and put it in the htdocs/web directory of your website. Optionally in a subfolder. The request address would look roughly like this "https://mywebsite.com/mysubfolder/gamedata.php".
Ok, that was about sending/getting data. Now about security:
This depends on how important that data is. For low security it might be sufficient to simply pass a password in the request parameters and check it in the PHP script. For more security there are nearly endless possitbilities like encrypted data or challenge/reponse logins with session ids.
Never directly send mysql statements via http or assemble sql statements directly of the received parameters using string functions. Use bound parameters or clean up any data field at least (i.e. only allowing "a-zA-Z0-9 "). The problem here is SQL-injection: https://en.wikipedia.org/wiki/SQL_injection
Limit the possible actions. I.e. limit the user rights for the user which the PHP script uses for the connect.
- Avoid the deletion of records.
- Backup the database often.
Tell your game users what you are doing. This will depend on the platform you are publishing on but most require some GDRP/Data Privacy statement. And mobile apps usually require some permission to be enabled to access the internet.