The problem was that the database had a comprehensive set of APIs to manipulate things. Unfortunately, the API was a PHP library on a web server and an application written in another language on another platform needed to access this.
I considered SOAP and XML-RPC but PHP's support for either was experimental, badly documented and required additional libraries. OTOH, elementary XML parsing was built-in. So I rolled my own interface. A 500-line PHP script accepts a specially constructed POST containing an XML-encoded function call, calls the function, and returns the data in the same type of XML. It has a list of allowed functions that it exposes this way to control what can be done and it leverages the login mechanism used on the rest of the site to prevent any random user calling it. The programmer who calls it loves it's versatility. By the end of the development, I was just adding extra function calls for him in its allowed list.