Your web application needs access to the database server anyway (well, some level fo access to some database). Even if you put it on a separate machine, if the web server is compromised, an attacker...