So there are 2 issues here: 1) Authenticating users issuing POST updates to your server side PHP/database (they are who they say they are) and 2) Preventing your database credentials from being exposed.

1) Are you authenticating users with a 3rd party intergrated server like LDAP?

2) The server credentials shouldn’t be stored in the application because they are never needed there. Once you authenticate a user and their request, your server side PHP should have a security function which decrypts the DB credentials and issues the SQL statement based on the information submitted by the user.

So to answer your question, yes, it is best practice to host a server side framework to handle incoming requests, which authenticates the user and then executes their request.

I suppose if you wanted the desktop app to be able to directly update the DB (not recommended), you could store an encrypted hash of the DB credentials and use a decryption algorithm to decrypt and then send them to the database.

<?php
    if(isset($_POST['query'])) {
        $query = $_POST['query'];
        $mysqli = new mysqli('localhost', 'my_user', 'my_password', 'my_db');

        //Execute SQL
        if($mysqli->query($query) === TRUE) {
            $mysqli->close();
            echo "successful";
        } else { echo "SQL execution error"; }
    } else { 
        echo "invalid query string"; 
    }
?>