Players can decompile my game and find out the login and password to my sql server.... WHAT DO I DO??

Use a web server gateway and send the data (and receive it) with either XML or JSON (JSON being probably the easiest to manipulate)

You can send it something like {method => "get", what => "email", where => "users", value => {username_variable} }

then in PHP parse it to an array then

sql_query("SELECT email FROM users WHERE username = {username_variable};"); // this isn't valid, depends on database but you get the idea

then echo out the results in a JSON format like {email => "{returned value}"}

then in your game just read the output of the site and then parse the JSON and do what you need with the email variable... this keeps some of your stuff safe "you can make alias for table names and fields, etc".. then wont see your SQL username and password.. and then in your PHP script, check to see if the SQL code is valid.. make sure to do some safe code like a MySQL_real_escape_string() etc so they doon't SQL inject hack.. turn off error handling and do try/catch so they don't see any raw PHP errors exposed and get data from that.

You can try and do some sort of funky public/private key thing... though they will have access to the public key and if they know enough to decompose your c# code, they will figure out when sending fake headers and strings to your site via a GET or POST HTTP Header, they will just send that along with it.

Though if you are doing this enough, you could then just use a TCP network connection and PHP's sockets and make sure it's a valid user connection from the client that is sending the HTTP headers.