How to encypt sensitive data in database of a web app?

The generally accepted approach is similar to what AndrolGenhald suggested in an earlier answer but with some enhancements.

You can encrypt each user's data individually, using a key derived from their password. You do not, however, want to use the password directly as a key. It's a multi-step process, as follows.

1) You generate a random key, using a CSPRNGm, and use this random key to encrypt the user's data. You can create a new, different random key for each user. This is called the DEK, or data-encryption-key.

2) You take the user's password and run it through a PBKDF (such as PBKDF2, bcrypt, or scrypt) using a reasonably high work factor or number of iterations and a random salt to create a second key, the KEK or key-encryption-key. You then encrypt the DEK using the KEK, and store the encrypted DEK and the salt in the database.

Then, when the user logs in, you use their password and the salt from the database to regenerate the KEK, which you can use to decrypt the DEK, which you can use to decrypt the data.

Now, when the user changes their password, you no longer have to decrypt and re-encrypt all of their data, but simply use the new password (and a new salt) to generate a new KEK, and re-encypt the DEK using this new KEK.