best practice for c# calling php which then queries the database

Question

For some reason I have to have a windows client application (written in C#) which communicates with the PHP files that are on my server. Windows application can't be allowed to have SQL queries in the code because of the possible disassembling of the exe file. This is the main reason why this approach is used.

Basically it looks like this: from windows client i call getResult.php which then opens the connection to the database, queries the database, returns the result to the client and closes the database connection. Therefore windows client doesn't have any code for querying the database, it just has calls to the PHP file.

My several questions follow:
1. What is the best way to send request from c# code to the PHP file? (Cause I need to send this php file some parameters like ID, etc... -> I know I can do it with GET like this getResult.php?id=123456, but is this same possible with POST? And also, one question: how to do this in code? http requests or?)

2.Since every time I call the PHP file (there will be more files which I will call, like getResult.php, getStatus.php, etc...) I will somehow need to send login information to that PHP file with which that PHP will query the database. My question here is how to do this securely, and plus: is it maybe somehow possible to call something like doLogin.php and send the login username and password one time, and after that call this (and all other) php files without the need to send the login information as a parameter to the function. I know I can use PHP sessions when the whole application is on the server, but the main difference here is that I am only calling some files, executing them and closing the connection.

My main question is: is this ok from conceptual point of view or are there any commonly known concepts for this, for which I don't know about - please advise I'm willing to learn. I did some research and do believe this might have to be done with web services approach, but please do reply your thoughts on this.

Thank you for your help!

Answer 1

Your PHP code is effectively serving as a RESTful data-access API. Run your PHP on a webserver over SSL (HTTPS) so that all your comms are encrypted.

You could either use trusted certificates to authenticate the client, or if you require different access levels, submitting a username/password to get an authorisation token for the data-access requests is not a bad idea.

Answer 2

For a simple GET you can do:

var webClient = new WebClient();
webClient.DownloadString("http://someurl.com/somescript.php");

You could then return perhaps an XML or JSON formatted response from the PHP script? You can use WebClient for POST too.

As for the login, you can do that too. I do a similar thing in one of my applications. We send the login details to the script (ASP.NET not PHP) and the ASP page returns an XML response telling the C# app whether or not it was successful - the application can then decide whether it is allowed to continue or not.