Single file PHP 7 script that adds a REST API to a MySQL 5.6 InnoDB database. PostgreSQL 9.1 and MS SQL Server 2012 are fully supported.
NB: This is the TreeQL reference implementation in PHP.
Related projects:
There are also ports of this script in:
There are also proof-of-concept ports of this script that only support basic REST CRUD functionality in: PHP, Java, Go, C# .net core, Node.js and Python.
This is a single file application! Upload “api.php
” somewhere and enjoy!
For local development you may run PHP’s built-in web server:
php -S localhost:8080
Test the script by opening the following URL:
http://localhost:8080/api.php/records/posts/1
Don’t forget to modify the configuration at the bottom of the file.
Edit the following lines in the bottom of the file “api.php
”:
$config = new Config([
'username' => 'xxx',
'password' => 'xxx',
'database' => 'xxx',
]);
These are all the configuration options and their default value between brackets:
mysql
, pgsql
or sqlsrv
(mysql
)localhost
)cors
)records,openapi
){"info":{"title":"PHP-CRUD-API","version":"1.0.0"}}
)TempFile
, Redis
, Memcache
, Memcached
or NoCache
(TempFile
)10
)false
)The code resides in the “src
” directory. You can access it at the URL:
http://localhost:8080/src/records/posts/1
You can compile all files into a single “api.php
” file using:
php build.php
NB: The script appends the classes in alphabetical order (directories first).
These limitation and constrains apply:
The following features are supported:
These features are new in v2 and were not included in v1:
The following features of v1 were dropped in v2:
NB: You can find v1 here: https://github.com/mevdschee/php-crud-api/tree/v1
You can enable the following middleware using the “middlewares” config parameter:
The “middlewares” config parameter is a comma separated list of enabled middlewares. You can tune the middleware behavior using middleware specific configuration parameters:
If you don’t specify these parameters in the configuration, then the default values (between brackets) are used.
TreeQL allows you to create a “tree” of JSON objects based on your SQL database structure (relations) and your query.
It is loosely based on the REST standard and also inspired by json:api.
The example posts table has only a a few fields:
posts
=======
id
title
content
created
The CRUD + List operations below act on this table.
If you want to create a record the request can be written in URL format as:
POST /records/posts
You have to send a body containing:
{
"title": "Black is the new red",
"content": "This is the second post.",
"created": "2018-03-06T21:34:01Z"
}
And it will return the value of the primary key of the newly created record:
2
To read a record from this table the request can be written in URL format as:
GET /records/posts/1
Where “1” is the value of the primary key of the record that you want to read. It will return:
{
"id": 1
"title": "Hello world!",
"content": "Welcome to the first post.",
"created": "2018-03-05T20:12:56Z"
}
On read operations you may apply joins.
To update a record in this table the request can be written in URL format as:
PUT /records/posts/1
Where “1” is the value of the primary key of the record that you want to update. Send as a body:
{
"title": "Adjusted title!"
}
This adjusts the title of the post. And the return value is the number of rows that are set:
1
If you want to delete a record from this table the request can be written in URL format as:
DELETE /records/posts/1
And it will return the number of deleted rows:
1
To list records from this table the request can be written in URL format as:
GET /records/posts
It will return:
{
"records":[
{
"id": 1,
"title": "Hello world!",
"content": "Welcome to the first post.",
"created": "2018-03-05T20:12:56Z"
}
]
}
On list operations you may apply filters and joins.
Filters provide search functionality, on list calls, using the “filter” parameter. You need to specify the column name, a comma, the match type, another commma and the value you want to filter on. These are supported match types:
You can negate all filters by prepending a “n” character, so that “eq” becomes “neq”. Examples of filter usage are:
GET /records/categories?filter=name,eq,Internet
GET /records/categories?filter=name,sw,Inter
GET /records/categories?filter=id,le,1
GET /records/categories?filter=id,ngt,2
GET /records/categories?filter=id,bt,1,1
Output:
{
"records":[
{
"id": 1
"name": "Internet"
}
]
}
In the next section we dive deeper into how you can apply multiple filters on a single list call.
Filters can be a by applied by repeating the “filter” parameter in the URL. For example the following URL:
GET /records/categories?filter=id,gt,1&filter=id,lt,3
will request all categories “where id > 1 and id < 3”. If you wanted “where id = 2 or id = 4” you should write:
GET /records/categories?filter1=id,eq,2&filter2=id,eq,4
As you see we added a number to the “filter” parameter to indicate that “OR” instead of “AND” should be applied. Note that you can also repeat “filter1” and create an “AND” within an “OR”. Since you can also go one level deeper by adding a letter (a-f) you can create almost any reasonably complex condition tree.
NB: You can only filter on the requested table (not on it’s included) and filters are only applied on list calls.
By default all columns are selected. With the “include” parameter you can select specific columns. You may use a dot to separate the table name from the column name. Multiple columns should be comma separated. An asterisk (”*“) may be used as a wildcard to indicate “all columns”. Similar to “include” you may use the “exclude” parameter to remove certain columns:
GET /records/categories/1?include=name
GET /records/categories/1?include=categories.name
GET /records/categories/1?exclude=categories.id
Output:
{
"name": "Internet"
}
NB: Columns that are used to include related entities are automatically added and cannot be left out of the output.
With the “order” parameter you can sort. By default the sort is in ascending order, but by specifying “desc” this can be reversed:
GET /records/categories?order=name,desc
GET /records/categories?order=id,desc&order=name
Output:
{
"records":[
{
"id": 3
"name": "Web development"
},
{
"id": 1
"name": "Internet"
}
]
}
NB: You may sort on multiple fields by using multiple “order” parameters. You can not order on “joined” columns.
The “size” parameter limits the number of returned records. This can be used for top N lists together with the “order” parameter (use descending order).
GET /records/categories?order=id,desc&size=1
Output:
{
"records":[
{
"id": 3
"name": "Web development"
}
]
}
NB: If you also want to know to the total number of records you may want to use the “page” parameter.
The “page” parameter holds the requested page. The default page size is 20, but can be adjusted (e.g. to 50).
GET /records/categories?order=id&page=1
GET /records/categories?order=id&page=1,50
Output:
{
"records":[
{
"id": 1
"name": "Internet"
},
{
"id": 3
"name": "Web development"
}
],
"results": 2
}
NB: Since pages that are not ordered cannot be paginated, pages will be ordered by primary key.
Let’s say that you have a posts table that has comments (made by users) and the posts can have tags.
posts comments users post_tags tags
======= ======== ======= ========= =======
id id id id id
title post_id username post_id name
content user_id phone tag_id
created message
When you want to list posts with their comments users and tags you can ask for two “tree” paths:
posts -> comments -> users
posts -> post_tags -> tags
These paths have the same root and this request can be written in URL format as:
GET /records/posts?join=comments,users&join=tags
Here you are allowed to leave out the intermediate table that binds posts to tags. In this example you see all three table relation types (hasMany, belongsTo and hasAndBelongsToMany) in effect:
This may lead to the following JSON data:
{
"records":[
{
"id": 1,
"title": "Hello world!",
"content": "Welcome to the first post.",
"created": "2018-03-05T20:12:56Z",
"comments": [
{
id: 1,
post_id: 1,
user_id: {
id: 1,
username: "mevdschee",
phone: null,
},
message: "Hi!"
},
{
id: 2,
post_id: 1,
user_id: {
id: 1,
username: "mevdschee",
phone: null,
},
message: "Hi again!"
}
],
"tags": []
},
{
"id": 2,
"title": "Black is the new red",
"content": "This is the second post.",
"created": "2018-03-06T21:34:01Z",
"comments": [],
"tags": [
{
id: 1,
message: "Funny"
},
{
id: 2,
message: "Informational"
}
]
}
]
}
You see that the “belongsTo” relationships are detected and the foreign key value is replaced by the referenced object. In case of “hasMany” and “hasAndBelongsToMany” the table name is used a new property on the object.
When you want to create, read, update or delete you may specify multiple primary key values in the URL. You also need to send an array instead of an object in the request body for create and update.
To read a record from this table the request can be written in URL format as:
GET /records/posts/1,2
The result may be:
[
{
"id": 1,
"title": "Hello world!",
"content": "Welcome to the first post.",
"created": "2018-03-05T20:12:56Z"
},
{
"id": 2,
"title": "Black is the new red",
"content": "This is the second post.",
"created": "2018-03-06T21:34:01Z"
}
]
Similarly when you want to do a batch update the request in URL format is written as:
PUT /records/posts/1,2
Where “1” and “2” are the values of the primary keys of the records that you want to update. The body should contain the same number of objects as there are primary keys in the URL:
[
{
"title": "Adjusted title for ID 1"
},
{
"title": "Adjusted title for ID 2"
}
]
This adjusts the titles of the posts. And the return values are the number of rows that are set:
1,1
Which means that there were two update operations and each of them had set one row. Batch operations use database transactions, so they either all succeed or all fail (successful ones get roled back).
For spatial support there is an extra set of filters that can be applied on geometry columns and that starting with an “s”:
These filters are based on OGC standards and so is the WKT specification in which the geometry columns are represented.
Authentication is done by means of sending a “Authorization” header. It identifies the user and stores this in the $_SESSION
super global.
This variable can be used in the authorization handlers to decide wether or not sombeody should have read or write access to certain tables, columns or records.
Currently there are two types of authentication supported: “Basic” and “JWT”. This functionality is enabled by adding the ‘basicAuth’ and/or ‘jwtAuth’ middleware.
The Basic type supports a file that holds the users and their (hashed) passwords separated by a colon (‘:’).
When the passwords are entered in plain text they fill be automatically hashed.
The authenticated username will be stored in the $_SESSION['username']
variable.
You need to send an “Authorization” header containing a base64 url encoded and colon separated username and password after the word “Basic”.
Authorization: Basic dXNlcm5hbWUxOnBhc3N3b3JkMQ
This example sends the string “username1:password1”.
The JWT type requires another (SSO/Identity) server to sign a token that contains claims.
Both servers share a secret so that they can either sign or verify that the signature is valid.
Claims are stored in the $_SESSION['claims']
variable. You need to send an “X-Authorization”
header containing a base64 url encoded and dot separated token header, body and signature after
the word “Bearer” (read more about JWT here). The standard says you need to
use the “Authorization” header, but this is problematic in Apache and PHP.
X-Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6IjE1MzgyMDc2MDUiLCJleHAiOjE1MzgyMDc2MzV9.Z5px_GT15TRKhJCTHhDt5Z6K6LRDSFnLj8U5ok9l7gw
This example sends the signed claims:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": "1538207605",
"exp": 1538207635
}
NB: The JWT implementation only supports the RSA and HMAC based algorithms.
The Authorization model acts on “operations”. The most important ones are listed here:
method path - operation - description
----------------------------------------------------------------------------------------
GET /records/{table} - list - lists records
POST /records/{table} - create - creates records
GET /records/{table}/{id} - read - reads a record by primary key
PUT /records/{table}/{id} - update - updates columns of a record by primary key
DELETE /records/{table}/{id} - delete - deletes a record by primary key
PATCH /records/{table}/{id} - increment - increments columns of a record by primary key
The “/openapi
” endpoint will only show what is allowed in your session. It also has a special
“document” operation to allow you to hide tables and columns from the documentation.
For endpoints that start with “/columns
” there are the operations “reflect” and “remodel”.
These operations can display or change the definition of the database, table or column.
This functionality is disabled by default and for good reason (be careful!).
Add the “columns” controller in the configuration to enable this functionality.
By default all tables and columns are accessible. If you want to restrict access to some tables you may add the ‘authorization’ middleware and define a ‘authorization.tableHandler’ function that returns ‘false’ for these tables.
'authorization.tableHandler' => function ($operation, $tableName) {
return $tableName != 'license_keys';
},
The above example will restrict access to the table ‘license_keys’ for all operations.
'authorization.columnHandler' => function ($operation, $tableName, $columnName) {
return !($tableName == 'users' && $columnName == 'password');
},
The above example will restrict access to the ‘password’ field of the ‘users’ table for all operations.
'authorization.recordHandler' => function ($operation, $tableName) {
return ($tableName == 'users') ? 'filter=username,neq,admin' : '';
},
The above example will disallow access to user records where the username is ‘admin’. This construct adds a filter to every executed query.
NB: You need to handle the creation of invalid records with a validation (or sanitation) handler.
By default all input is accepted and sent to the database. If you want to strip (certain) HTML tags before storing you may add the ‘sanitation’ middleware and define a ‘sanitation.handler’ function that returns the adjusted value.
'sanitation.handler' => function ($operation, $tableName, $column, $value) {
return is_string($value) ? strip_tags($value) : $value;
},
The above example will strip all HTML tags from strings in the input.
By default all input is accepted. If you want to validate the input, you may add the ‘validation’ middleware and define a ‘validation.handler’ function that returns a boolean indicating whether or not the value is valid.
'validation.handler' => function ($operation, $tableName, $column, $value, $context) {
return ($column['name'] == 'post_id' && !is_numeric($value)) ? 'must be numeric' : true;
},
When you edit a comment with id 4 using:
PUT /records/comments/4
And you send as a body:
{"post_id":"two"}
Then the server will return a ‘422’ HTTP status code and nice error message:
{
"code": 1013,
"message": "Input validation failed for 'comments'",
"details": {
"post_id":"must be numeric"
}
}
You can parse this output to make form fields show up with a red border and their appropriate error message.
You may use the “multiTenancy” middleware when you have a multi-tenant database. If your tenants are identified by the “customer_id” column you can use the following handler:
'multiTenancy.handler' => function ($operation, $tableName) {
return ['customer_id' => 12];
},
This construct adds a filter requiring “customer_id” to be “12” to every operation (except for “create”). It also sets the column “customer_id” on “create” to “12” and removes the column from any other write operation.
You may use the “joinLimits” and “pageLimits” middleware to prevent database scraping. The “joinLimits” middleware limits the table depth, number of tables and number of records returned in a join operation. If you want to allow 5 direct direct joins with a maximum of 25 records each, you can specify:
'joinLimits.depth' => 1,
'joinLimits.tables' => 5,
'joinLimits.records' => 25,
The “pageLimits” middleware limits the page number and the number records returned from a list operation. If you want to allow no more than 10 pages with a maximum of 25 records each, you can specify:
'pageLimits.pages' => 10,
'pageLimits.records' => 25,
NB: The maximum number of records is also applied when there is no page number specified in the request.
You may use the “customization” middleware to modify request and response and implement any other functionality.
'customization.beforeHandler' => function ($operation, $tableName, $request, $environment) {
$environment->start = microtime(true);
},
'customization.afterHandler' => function ($operation, $tableName, $response, $environment) {
$response->addHeader('X-Time-Taken', microtime(true) - $environment->start);
},
The above example will add a header “X-Time-Taken” with the number of seconds the API call has taken.
File uploads are supported through the FileReader API.
On the “/openapi” end-point the OpenAPI 3.0 (formerly called “Swagger”) specification is served. It is a machine readable instant documentation of your API. To learn more, check out these links:
There are 4 cache engines that can be configured by the “cacheType” config parameter:
You can install the dependencies for the last three engines by running:
sudo apt install php-redis redis
sudo apt install php-memcache memcached
sudo apt install php-memcached memcached
The default engine has no dependencies and will use temporary files in the system “temp” path.
You may use the “cachePath” config parameter to specify the file system path for the temporary files or in case that you use a non-default “cacheType” the hostname (optionally with port) of the cache server.
These are the supported types with their default length/precision/scale:
character types
boolean types:
integer types:
floating point types:
decimal types:
date/time types:
binary types:
other types:
JavaScript does not support 64 bit integers. All numbers are stored as 64 bit floating point values. The mantissa of a 64 bit floating point number is only 53 bit and that is why all integer numbers bigger than 53 bit may cause problems in JavaScript.
The following errors may be reported:
Error | HTTP response code | Message |
---|---|---|
1000 | 404 Not found | Route not found |
1001 | 404 Not found | Table not found |
1002 | 422 Unprocessable entity | Argument count mismatch |
1003 | 404 Not found | Record not found |
1004 | 403 Forbidden | Origin is forbidden |
1005 | 404 Not found | Column not found |
1006 | 409 Conflict | Table already exists |
1007 | 409 Conflict | Column already exists |
1008 | 422 Unprocessable entity | Cannot read HTTP message |
1009 | 409 Conflict | Duplicate key exception |
1010 | 409 Conflict | Data integrity violation |
1011 | 401 Unauthorized | Authentication required |
1012 | 403 Forbidden | Authentication failed |
1013 | 422 Unprocessable entity | Input validation failed |
1014 | 403 Forbidden | Operation forbidden |
1015 | 405 Method not allowed | Operation not supported |
1016 | 403 Forbidden | Temporary or permanently blocked |
1017 | 403 Forbidden | Bad or missing XSRF token |
1018 | 403 Forbidden | Only AJAX requests allowed |
1019 | 403 Forbidden | Pagination Forbidden |
9999 | 500 Internal server error | Unknown error |
The following JSON structure is used:
{
"code":1002,
"message":"Argument count mismatch in '1'"
}
NB: Any non-error response will have status: 200 OK
I am testing mainly on Ubuntu and I have the following test setups:
This covers not all environments (yet), so please notify me of failing tests and report your environment. I will try to cover most relevant setups in the “docker” folder of the project.
To run the functional tests locally you may run the following command:
php test.php
This runs the functional tests from the “tests” directory. It uses the database dumps (fixtures) and database configuration (config) from the corresponding subdirectories.
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name server_domain_or_IP;
location / {
try_files $uri $uri/ =404;
}
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $fastcgi_script_name =404;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
Install docker using the following commands and then logout and login for the changes to take effect:
sudo apt install docker.io
sudo usermod -aG docker ${USER}
To run the docker tests run “build_all.sh” and “run_all.sh” from the docker directory. The output should be:
================================================
Debian 9 (PHP 7.0)
================================================
[1/4] Starting MariaDB 10.1 ..... done
[2/4] Starting PostgreSQL 9.6 ... done
[3/4] Starting SQLServer 2017 ... skipped
[4/4] Cloning PHP-CRUD-API v2 ... skipped
------------------------------------------------
mysql: 95 tests ran in 2651 ms, 0 failed
pgsql: 95 tests ran in 573 ms, 0 failed
sqlsrv: skipped, driver not loaded
================================================
Ubuntu 16.04 (PHP 7.0)
================================================
[1/4] Starting MariaDB 10.0 ..... done
[2/4] Starting PostgreSQL 9.5 ... done
[3/4] Starting SQLServer 2017 ... done
[4/4] Cloning PHP-CRUD-API v2 ... skipped
------------------------------------------------
mysql: 95 tests ran in 2670 ms, 0 failed
pgsql: 95 tests ran in 550 ms, 0 failed
sqlsrv: 95 tests ran in 6624 ms, 0 failed
================================================
Ubuntu 18.04 (PHP 7.2)
================================================
[1/4] Starting MySQL 5.7 ........ done
[2/4] Starting PostgreSQL 10.4 .. done
[3/4] Starting SQLServer 2017 ... skipped
[4/4] Cloning PHP-CRUD-API v2 ... skipped
------------------------------------------------
mysql: 95 tests ran in 3186 ms, 0 failed
pgsql: 95 tests ran in 556 ms, 0 failed
sqlsrv: skipped, driver not loaded
The above test run (including starting up the databases) takes less than one minute on my machine.
$ ./run.sh
1) debian9
2) ubuntu16
3) ubuntu18
> 3
================================================
Ubuntu 18.04 (PHP 7.2)
================================================
[1/4] Starting MySQL 5.7 ........ done
[2/4] Starting PostgreSQL 10.4 .. done
[3/4] Starting SQLServer 2017 ... skipped
[4/4] Cloning PHP-CRUD-API v2 ... skipped
------------------------------------------------
mysql: 95 tests ran in 3186 ms, 0 failed
pgsql: 95 tests ran in 556 ms, 0 failed
sqlsrv: skipped, driver not loaded
root@b7ab9472e08f:/php-crud-api#
As you can see the “run.sh” script gives you access to a prompt in a chosen the docker environment. In this environment the local files are mounted. This allows for easy debugging on different environments. You may type “exit” when you are done.