To put it in a nutshell, you are thinking of this:

On server side you have:

• a database, with login/password matches.
• a script that take 2 parameters (password and username) and check in the database if the couple exists

Your problem:

When your local application call the php script on server side, the 2 parameters are given in plain text. And you want to avoid tampering ( if your script are safe against injection i only see tampering used to bruteforce the auth <= keep in mind that i will keep this assumption in the whole post)

Your solution:

• On client side, encrypt the 2 parameters
• On server side, add a salt in your script to salt
• Then decrypt the 2 parameters and encrypt with a salt

What I think:

This will not solve the tampering issue, someone can still forge requests.
The first encryption is useless because someone can retreive the key used by your client.
The second encryption is not safe enought because you use the same salt for all you users.

What I suggest:

Accept that tampering can’t be avoided if you don’t use a secure protocol like HTTPS (can either use SSL or TLS).
If you want an acceptable security without HTTPS the following is what i would implement:

• A token system that you will check in order to see if the user can perform the login operation
• A username that would not be encrypted
• The password sha1 hashed stored in database
• On client side, you call the script and provide the username as non encrypted and your password as a sha1 hash, rehashed with a random salt (sha1(sha1(pass)+salt) (the salt is stored in the user session on server side)
• The script would then compared the provided hash with db password hash rehashed with session salt

The improvement is that the attacker must try to brute force two sha1 passwords consecutivaly and must provide a valid token to perform the login action. Plus if you use as salt a string using hex char of a variable even length, it will make the job harder for the attacker to recognised that the value bruteforced by the second hash is a sha1 hash, and even if he know it’s an sha1 he will have to test multiple case to try to find the right portion of the value that correspond to the hash.

Because of variable salt, a same password won’t be the same if hashed:
Imagine the attacker sniffed a hash and know which password was used then sniff another hash that was made with the same password as the other, the attacker won’t be able to know that the 2 password where the same( a little overkill but still usefull).

It is safer to store the password as hashed value, because if the attacker manage to dump your user table, he won’t be able to use the passwords right away, he would have to bruteforce each of then.
Finally sha1 hash are safer than md5 (i tell you that because you used the md5 tag in your post)

The downside of this method is that passwords can’t be reversed, so you won’t be able to given them back to your users if they lost it. You will have to make them set a new one.

An hardcore way (still without using HTTPS), would be to encrypt your password and username with a strong cypher (like AES or 3DES) and use a secure key echange algorythm (like the Diffie Hellman one) to exchange a random shared key.

This method won’t block tampering, but will screw the attacker, because he won’t be able to decrypt the value (assuming he only is sniffing the network). The key is random and never hardcoded in any of your application, so even if someone reverse your client, he won’t be able to retreive a key.
I would still recommend to store your password value has hash.

An extreme way would be to merge the 2 methods but would be completly overkill.

Hope this will give you ideas