php-crud-api
PHP-CRUD-API is a single-file PHP script that automatically generates a REST API from a SQL database (MySQL, PostgreSQL, SQL Server, SQLite). Upload the file, configure credentials, and get instant CRUD operations, filtering, pagination, and OpenAPI documentation without writing code.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | mevdschee/php-crud-api |
| Owner | mevdschee |
| Primary language | PHP |
| License | MIT — OSI-approved |
| Stars | 3.7k |
| Forks | 1k |
| Open issues | 87 |
| Latest release | v2.16.2 (2026-06-29) |
| Last updated | 2026-06-29 |
| Source | https://github.com/mevdschee/php-crud-api |
What php-crud-api is
Implements TreeQL reference in PHP using PDO drivers for multi-database support. Features include relation detection (belongsTo, hasMany, HABTM), spatial/GIS support via WKT/GeoJSON, middleware-based authentication (API key, JWT, basic auth), permission system (database/table/column/record level), and PSR-4/7/12/15/17 compliance.
Get the php-crud-api source
Clone the repository and explore it locally.
git clone https://github.com/mevdschee/php-crud-api.gitcd php-crud-api# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Primary keys must be auto-increment (1 to 2^53) or UUID; composite keys unsupported. Validate database schema before deployment.
- Configure environment variables (PHP_CRUD_API_*) for credentials; never commit hardcoded secrets to version control.
- Enable only required tables via 'tables' config and implement column-level permissions to reduce attack surface.
- For multi-tenant setups, use 'mapping' config to namespace tables and validate tenant context in custom controllers.
- SQLite does not support bigint auto-increment PKs or column alteration; use MySQL/PostgreSQL for full CRUD DDL support.
When to avoid it — and what to weigh
- Complex transactional workflows required — Limitations explicitly exclude complex writes and transactions. Not suitable for multi-step operations requiring rollback or ACID guarantees across tables.
- High-security or regulated compliance environments — Single-file architecture and feature-rich defaults (e.g., default all-tables exposure) require careful security hardening. Requires external audit for HIPAA, PCI-DSS, or SOC 2.
- Composite keys or advanced domain logic — Documentation states composite primary and foreign keys are not supported. Custom business logic, validations, or aggregations (e.g., SUM, CONCAT) require external implementation.
- Enterprise integration and change management — Single maintainer project with 87 open issues. Production use in large teams or enterprises demands dedicated support contracts and internal governance processes.
License & commercial use
MIT License (permissive). Grants rights to use, modify, distribute, and sublicense for commercial and private use, provided MIT notice is retained.
MIT is an OSI-approved permissive license permitting commercial use without royalties. However, no warranty is provided and no liability is assumed. For mission-critical or regulated deployments, verify internal legal and compliance requirements; consider engaging the maintainer or community for professional support.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
Single-file design simplifies deployment but centralizes risk. Configuration supports authentication (API key, JWT, basic auth) and middleware-based CORS; column/record-level permissions available. Consider: database credentials in config require secrets management; debug mode exposes errors in headers; default 'all tables' exposure needs explicit 'tables' whitelist; no built-in rate limiting or input sanitization beyond type rules; external security audit recommended before production use in regulated environments.
Alternatives to consider
PostgREST (Haskell)
Standalone binary auto-exposing PostgreSQL schema as REST API. Stronger security model and performance; requires PostgreSQL only; steeper DevOps learning curve.
Supabase (PostgreSQL + Auth)
Managed cloud platform with auto-generated REST API, real-time, and built-in authentication. Reduces operational burden; vendor lock-in risk; higher cost.
Hasura (GraphQL/REST)
GraphQL engine with REST support, permissions, and event triggers. More powerful for complex queries; steeper learning curve; requires PostgreSQL/MySQL/MSSQL.
Build on php-crud-api with DEV.co software developers
Download api.php, configure your database credentials, and launch a production-ready CRUD API in under 5 minutes. Perfect for MVPs, prototypes, and legacy system modernization.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
php-crud-api FAQ
Can I use PHP-CRUD-API in production?
Does it support transactions or complex business logic?
How do I secure database credentials?
Does it work with legacy databases?
Software development & web development with DEV.co
DEV.co helps companies turn open-source tools like php-crud-api into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source databases stack.
Ready to expose your database as a REST API?
Download api.php, configure your database credentials, and launch a production-ready CRUD API in under 5 minutes. Perfect for MVPs, prototypes, and legacy system modernization.