About
Everything you need to know about the scaffold — what it is, what's included, and how to extend it.
What is this?
This is a lightweight, zero-dependency PHP MVC scaffold built for starting new projects quickly. It gives you a solid foundation — routing, authentication, session management, database access, input validation, CSRF protection, and audit logging — without pulling in a full framework.
The goal is to stay small enough that you can read and understand every file, while covering the security and structural concerns that every real project eventually needs.
What's included
Core
- ✓ Router — static + regex routes, method matching, auth/role guards
- ✓ BaseController — layout-aware view rendering with output buffering
- ✓ Database — PDO singleton with query helpers and transaction support
- ✓ Auth — session-based login/logout with role guards
Security
- ✓ CSRF — token generation, hidden field helper, enforce on POST
- ✓ Validator — fluent rules: required, email, min, max, in, numeric
- ✓ RateLimiter — DB-backed, 5 attempts / 15 min per email+IP
- ✓ AuditLogger — logs mutations to the
audit_logtable
Auth flow
- ✓ Owner registration at
/register - ✓ Unified login at
/login— detects owner vs staff automatically - ✓ Session fixation prevention on login
- ✓ Full session destroy on logout
Database tables
- ◦
owners— registered account holders - ◦
users— staff accounts with roles - ◦
login_attempts— rate limiter backing store - ◦
audit_log— immutable action history
Design goal
Stay small enough to understand in an afternoon, but complete enough that you don't have to rebuild the same boilerplate on every new project. No magic, no hidden conventions.
When to use it
Internal tools, client dashboards, admin panels, or any project where a full framework is overkill but you still want proper structure and security from day one.