network architecture related to db security - needed

I am trying to figure out the best possible implementation to keep a db 
safe that is going to used as a backend for publicly accessible web 
services (Internet).  What are the better or best ways to protect the db 
from being hacked OR what are the ways that the web machines will access 
them? 

I am not sure if a dmz would be best as I am thinking if someone got 
into the web box(on the DMZ) that they will have a clear shot going to 
the db if we have the port wide open for the two to communicate(say 3306 
for mysql communication).  Plus typically, there will be logins for the 
db that the php scripts that are running that need to access the db.  
Yes, these web boxen will also be running php, so I envision wanting to 
use some sort of encoding or encryption for these sensitive php files.  
Do I run the db connection over an ssh tunnel on my network, so that 
only port 22 is accessible between the db and web/php boxen?  That makes 
good sense, but I am concerned with the overhead ssh brings and keeping 
an already somewhat latent connection between separate db and 
web/php(considering db and web on the same box is the quickest way to 
communicate...sockets).

I am just wondering the ways that admins choose to secure these 
connections.  These seems like some of the hardest machines to secure 
and I cannot seem to find much out there in this regard.  Many other 
services seem more straight forward, so this is also more interesting to 
me as well.  Please share your ideas for the most secure db security so 
that we may learn.

Kind Regards,
Bob Ababurko