DEV.co
Open-Source Databases · mevdschee

php-crud-api

PHP-CRUD-API is a single-file PHP script that automatically generates a REST API from a SQL database (MySQL, PostgreSQL, SQL Server, SQLite). Upload the file, configure credentials, and get instant CRUD operations, filtering, pagination, and OpenAPI documentation without writing code.

Source: GitHub — github.com/mevdschee/php-crud-api
3.7k
GitHub stars
1k
Forks
PHP
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorymevdschee/php-crud-api
Ownermevdschee
Primary languagePHP
LicenseMIT — OSI-approved
Stars3.7k
Forks1k
Open issues87
Latest releasev2.16.2 (2026-06-29)
Last updated2026-06-29
Sourcehttps://github.com/mevdschee/php-crud-api

What php-crud-api is

Implements TreeQL reference in PHP using PDO drivers for multi-database support. Features include relation detection (belongsTo, hasMany, HABTM), spatial/GIS support via WKT/GeoJSON, middleware-based authentication (API key, JWT, basic auth), permission system (database/table/column/record level), and PSR-4/7/12/15/17 compliance.

Quickstart

Get the php-crud-api source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/mevdschee/php-crud-api.gitcd php-crud-api# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Rapid prototyping and MVP database APIs

Deploy a fully functional CRUD API in minutes without backend development. Ideal for startups validating ideas or teams needing quick database frontends.

Legacy database exposure with minimal refactoring

Map existing table/column names and expose legacy SQL schemas via REST without rewriting database or application logic. Supports multi-tenant layouts.

Geospatial and analytical APIs

Native support for PostGIS and spatial fields (WKT/GeoJSON) simplifies building location-aware services. Built-in filtering, sorting, and column selection suit reporting use cases.

Implementation considerations

  • Primary keys must be auto-increment (1 to 2^53) or UUID; composite keys unsupported. Validate database schema before deployment.
  • Configure environment variables (PHP_CRUD_API_*) for credentials; never commit hardcoded secrets to version control.
  • Enable only required tables via 'tables' config and implement column-level permissions to reduce attack surface.
  • For multi-tenant setups, use 'mapping' config to namespace tables and validate tenant context in custom controllers.
  • SQLite does not support bigint auto-increment PKs or column alteration; use MySQL/PostgreSQL for full CRUD DDL support.

When to avoid it — and what to weigh

  • Complex transactional workflows required — Limitations explicitly exclude complex writes and transactions. Not suitable for multi-step operations requiring rollback or ACID guarantees across tables.
  • High-security or regulated compliance environments — Single-file architecture and feature-rich defaults (e.g., default all-tables exposure) require careful security hardening. Requires external audit for HIPAA, PCI-DSS, or SOC 2.
  • Composite keys or advanced domain logic — Documentation states composite primary and foreign keys are not supported. Custom business logic, validations, or aggregations (e.g., SUM, CONCAT) require external implementation.
  • Enterprise integration and change management — Single maintainer project with 87 open issues. Production use in large teams or enterprises demands dedicated support contracts and internal governance processes.

License & commercial use

MIT License (permissive). Grants rights to use, modify, distribute, and sublicense for commercial and private use, provided MIT notice is retained.

MIT is an OSI-approved permissive license permitting commercial use without royalties. However, no warranty is provided and no liability is assumed. For mission-critical or regulated deployments, verify internal legal and compliance requirements; consider engaging the maintainer or community for professional support.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Single-file design simplifies deployment but centralizes risk. Configuration supports authentication (API key, JWT, basic auth) and middleware-based CORS; column/record-level permissions available. Consider: database credentials in config require secrets management; debug mode exposes errors in headers; default 'all tables' exposure needs explicit 'tables' whitelist; no built-in rate limiting or input sanitization beyond type rules; external security audit recommended before production use in regulated environments.

Alternatives to consider

PostgREST (Haskell)

Standalone binary auto-exposing PostgreSQL schema as REST API. Stronger security model and performance; requires PostgreSQL only; steeper DevOps learning curve.

Supabase (PostgreSQL + Auth)

Managed cloud platform with auto-generated REST API, real-time, and built-in authentication. Reduces operational burden; vendor lock-in risk; higher cost.

Hasura (GraphQL/REST)

GraphQL engine with REST support, permissions, and event triggers. More powerful for complex queries; steeper learning curve; requires PostgreSQL/MySQL/MSSQL.

Software development agency

Build on php-crud-api with DEV.co software developers

Download api.php, configure your database credentials, and launch a production-ready CRUD API in under 5 minutes. Perfect for MVPs, prototypes, and legacy system modernization.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

php-crud-api FAQ

Can I use PHP-CRUD-API in production?
Yes, MIT licensing allows commercial use. Evaluate security (credentials, permissions, authentication), test limits (single maintainer, 87 open issues), and plan support strategy (community or paid). Not suitable for regulated industries without external security audit.
Does it support transactions or complex business logic?
No. Limitations explicitly exclude complex writes, transactions, and function calls (SUM, CONCAT). Implement business logic in a wrapper layer or external service.
How do I secure database credentials?
Use environment variables (PHP_CRUD_API_USERNAME, PHP_CRUD_API_PASSWORD) rather than hardcoding in api.php. Pair with a secrets manager (AWS Secrets Manager, HashiCorp Vault) in production.
Does it work with legacy databases?
Yes, 'mapping' config allows renaming tables/columns. Composite keys unsupported; primary keys must be auto-increment or UUID. Schema must define foreign key constraints.

Software development & web development with DEV.co

DEV.co helps companies turn open-source tools like php-crud-api into production software. Our software development services cover the full lifecycle — architecture, web development, integration, and maintenance — delivered by software developers and web developers who ship. Engage our software development agency to implement or customize it for your open-source databases stack.

Ready to expose your database as a REST API?

Download api.php, configure your database credentials, and launch a production-ready CRUD API in under 5 minutes. Perfect for MVPs, prototypes, and legacy system modernization.