what stops an user from compiling his own SQL server in your hosting, binding it on a not-used port and running it thru crontab for example?
i think nothing...
1) you can configure APF just let IN traffic to already used ports, but firewalls doesn't stop someone from binding a port, just stop other people to connect to this port
in other words, doing that, you wouldn't allow IP 10.10.10.10 (for example) to connect on port 12345 (after you sucessfully bind it) of your server... but 127.0.0.1 (your own host) would still be able to connect
and that's all the user need to connect to the SQL server
2) you can stop compilers, like chmod 0700... some can just upload his own compiler (already compiled of course) or some sql server statically compiled
but they'll be limited by their disk quota, so why worry?
OTOH mysql takes up quite a lot of RAM, so you might want to impose an RSS limit on the users (if you haven't already). with a conservative amount, they won't be able to run something as memory-hungry as mysql