Bit of noob help with network architecture

I need a set up of 2 or possibly 3 servers, a web server, a database server and maybe an application server.

The web server will use information from the database server to create the pages. The internet users can access the website and use it to find things from the database. However the only way the database should be changed is from someone logged on the intranet.

My understanding of the DMZ is a bit scetchy, i understand that this is where we put things that are needed to be accessed both internally and externally. So the webserver would be placed in there. But what about the database server, would the best solution to be to have it on the intranet side and open a port on the router/firewall to let the webserver communicate with it?

TIA

From my own understanding (which could be wrong) I'd say that you want the database server to be internal to your network. Its not public facing and should be read-only by the web server. An internal site would then be set up which would be allowed to write to the database, not accessible from the web.

If all users access the database via a web page then the only user of the database is the webserver, which is internal. Thus the database server is totally internal to the network. Only the webserver would need to be in the DMZ.

EDIT: The web server, not the end user accessing the web server, is the user on the database server. So both database server and database user (the webserver) are internal.

I'm sure there's a clearer way of explaining it...