well.. the way that we do it.
our sql database server does have a connection to the internet, however
we have an asa firewall that routes to the sql database.
the firewall only accepts traffic from internal and our websites IP address. everything else is blocked.

You could also use a VPN between the clients and your server so that the database cannot be compromised via the Internet.

This does not help against social engineering, of course. If your customers use to leave their computers unattended while logged in, a VPN does not help too much.
Maybe you are overdoing it anyway. If your data are stored in a mysql database with user rights properly set and with no internet connection (except via the PHP website) and your interface displays only what it may and the webserver is password protected, who would go into the trouble of breaking in for some charity worker's marital statuses? The other info they might find in the phone book, anyway.
Make sure that your website is protected against SQL injection and keep your server up to date. That should frustrate 99% of the script kiddies.

Make sure that none of your php code shows raw sql error messages, as this can be used for sql injection, so all exceptions should be caught when the user inputs somthing

Good, that's the proper way to go. But there are enough people who build sites that don't do that...
So for you i was just pointing out the obvious , but perhaps other (more inexperienced deloppers) have found it usefull.