Build a PHP SaaS app from scratch

This is the first of 3 posts which will talk about launching your own SaaS product (or converting your existing single tenant app to a SaaS app). We will cover various aspects from developing the app to building a SaaS site (to enable your clients to signup for it)

We will be looking at…
1. Creating your app
The app is the product that you are going to sell. If you already have this app ready, you will only have to modify it so that it is compatible for multiple clients. The app is the front-end for your client’s end-users.
2. Creating your SaaS site
The site is the front-end for your clients. They will be using your site to signup for the app.
3. Hosting et al.
We will talk about how to host your app + site, how to ensure scaling, setting up DNS & SSL, database versioning etc.
Part 1: Create your app
Before you begin with selling your product, you need to have a product. Let us first try and understand the SaaS architecture. Every app consists of two parts: code & data. Now, every client has end-users; the data is shared between these end-users and (mostly) not with other clients’ end-users. So every set of end-users (of each client) should access a different set of data. In most cases, the code used by all the clients can be the same.
Now there are various ways in which a SaaS app can be designed:
Option 1 – Single database, single code-base
Use a single database and store all client data in a single database. You will have to add a field like “clientid” in all your tables and modify all your SQL queries to select the correct “clientid”. If you already have a single tenant app, then heavy modification is required in the code.
Advantages: Easy to manage database & updates; no duplication.
Disadvantages: If you miss out a “clientid” in the SQL query, it may result in issues with another client.
Option 2 – Multiple database, single code-base
Create a separate database for every client. No modification is required to your existing single-tenant codebase. You will only have to modify the configuration file to select a database depending on the client.
Advantages: Very little codebase modification, easy to ensure client data does not get mixed.
Disadvantages: Multiple databases to manage so in the event of DB schema updates, you will have to update each and every database.
Option 3 – Multiple database, multiple code-base
Create a separate database & duplicate the complete code for every client. No modification required at all.
Advantages: No codebase modification, easy to ensure client data does not get mixed, easy to perform client specific modifications.
Disadvantages: Multiple databases/code to manage so in the event of DB schema/code updates, you will have to manually update for each client.
There are a number of articles discussing which approach is the best but option 2 helps us develop a scalable SaaS solution in the quickest possible way. So we will stick to option 2 for this tutorial.
If you already have an app then you will only have to modify the configuration file as below. If you do not, then make sure your configuration file looks something like below and the rest of the app can be however you like it.
Let us begin with the PHP part. You should be ideally using a framework like Symfony or Zend to create your app. To simplify, I am only going to be talking about config.php:
This is how a simple standard config.php file looks: (usually DB connection is not part of this, but for a clearer explanation, I have added it)
<?php define('DB_SERVER','localhost'); define('DB_PORT','3306'); define('DB_USERNAME','root'); define('DB_PASSWORD','password'); define('DB_NAME','dummyapp'); $dbh = mysql_connect(DB_SERVER.':'.DB_PORT,DB_USERNAME,DB_PASSWORD); if (!$dbh) { echo "Oops! Something went horribly wrong."; exit(); } mysql_selectdb(DB_NAME,$dbh);
In the above code, when the user visits a PHP page, it calls config.php, which stores the database configuration & connects the database. Then the remaining PHP files, calling this configuration file, can connect to the DB.
The problem in the above code is that it is built for a single client (with a single set of end-users). We need to modify this code so that for each client, a different database is used. So depending on how the app is called (i.e. depending on the URL), we will connect to a different database. If you look at SaaS apps online, you will find that they assign a unique sub-domain to every client. This technique will come in handy.
So if your site is mydummyapp.com, then when a client registers, he will be assigned a URL like anantgarg.mydummyapp.com, yourname.mydummyapp.com etc. Now, all end-users of the client will connect to the same sub-domain.
To make our app SaaS friendly we need to check the sub-domain and then accordingly connect to a database. We will perform the following checks:

1. Let the end-user visit the app using *.mydummyapp.com (DNS configuration in next post)
2. Check a central table if the sub-domain is registered; if yes, to whom? Then fetch the DB details
3. Connect the end-user to the client’s DB

Here is how a modified config.php will look:
<?php $data = explode('.',$_SERVER['SERVER_NAME']); // Get the sub-domain here // Add some sanitization for $data if (!empty($data[0])) { $subdomain = $data[0]; // The * of *.mydummyapp.com will be now stored in $subdomain } // Contact a central database (which stores information about all clients define('SITE_DB_SERVER','localhost'); define('SITE_DB_PORT','3306'); define('SITE_DB_USERNAME','root'); define('SITE_DB_PASSWORD','password'); define('SITE_DB_NAME','dummysite'); $sitedbh = mysql_connect(SITE_DB_SERVER.':'.SITE_DB_PORT,SITE_DB_USERNAME,SITE_DB_PASSWORD); // Get client's DB details (make sure $subdomain is already sanitized) $sitemysql = mysql_query('select id,dbusername,dbpassword from clients where subdomain = '.$subdomain.'); $appdata = mysql_fetch_row($sitemysql); // You can add caching code here to skip the above DB call if (empty($appdata['id'])) { // If the client does not exist i.e. the end-user types the wrong sub-domain echo "Oops! Sorry, we are unable to find you! Please email us at [email protected]"; exit(); } define('DB_SERVER','localhost'); define('DB_PORT','3306'); define('DB_USERNAME',$appdata['dbusername']); define('DB_PASSWORD',$appdata['dbpassword']); define('DB_NAME','dummyapp_'.$appdata['id']); $dbh = mysql_connect(DB_SERVER.':'.DB_PORT,DB_USERNAME,DB_PASSWORD); if (!$dbh) { exit(); } mysql_selectdb(DB_NAME,$dbh); // Success! Now we can continue to use the app as-is!
If you are modifying your existing app, then you only need to modify your configuration file and make it similar to the above. The rest of the app should not need any modification (as long as you are not saving any files). If you have files, then you will have to modify the file upload code and add a folder e.g. /uploads/$subdomain/$filename.
If you are testing on localhost, you can simply add something like the following to your hosts file:
127.0.0.1 test.mydummyapp.com 127.0.0.1 test2.mydummyapp.com
Part 2: Create your SaaS site
I assume you can create a simple SaaS site with user registration. On your registration page, you will need to have something like:
Username: _ _ _ _ _ _ _ _ Password: _ _ _ _ _ _ _ _ Subdomain: _ _ _ _ _ _ _ _ (.mydummyapp.com):
You will need to create a common DB (e.g. dummysite) with a table called “clients”. In your real site, you will also need other tables like “subscriptions” which will hold payment information.
create table clients ( id int default 0 auto_increment, username varchar(50), password varchar(255), subdomain varchar(50), dbusername varchar(50), dbpassword varchar(50) )
Now for every client who signs up on your site, you will have to add an entry into the above table. You will also have to create random dbusername & dbpassword. And finally, you need to create a new DB for this client.
The PHP code for that will be:
// Connect to database instance (which stores all app DBs) $dbh = mysql_connect(DB_SERVER.':'.DB_PORT,DB_MASTERUSERNAME,DB_MASTERPASSWORD); // Create DB ($id will have value of client's inserted ID) mysql_query("CREATE DATABASE mydummyapp_".$id."",$dbh) or die(mysql_error()); // Create user and grant all privileges for the above DB mysql_query("GRANT ALL ON mydummyapp_".$id.".* to ".$dbusername." identified by '".$dbpassword."'",$dbh) or die(mysql_error());
Once this is done, you should be able to put all the pieces together and get your first SaaS app up and running.
Part 3: Putting it all together
The site structure will be as follows-
www.mydummyapp.com: SaaS site (where the client registers)
*.mydummyapp.com: SaaS app (catch-all points to the actual app)
The workflow is as follows:
1. The client visits www.mydummyapp.com
2. The client registers on the site
3. The site creates the a DB (and user) for the client (and adds an entry in the site’s DB)
4. The client then uses the new URL (i.e. clientsubdomain.mydummyapp.com) for himself & his end-users
5. The end-users directly visit clientsubdomain.mydummyapp.com which is basically the app using the client’s DB
Where do we go from here?
We have achieved quite a bit using this tutorial. We have setup our app and site and can now allow clients to register and use the app. In the next parts will we discuss about managing the databases, setting up DNS, handling hosting, scaling and other tips & tricks.
Discuss, Share & Subscribe
Do let me know your suggestions on how I can improve this tutorial. If you like what you are reading, then please help spread the word by re-tweeting, blogging and sharing this tutorial. Thank you.
To get a notification when the next part is ready, please subscribe using the form at the bottom of this page.

eric
Dear Anant,
You have great insights, thank you very much!
I am a developer, my apps been in vb6/MySQL for many years. Now m trying to
develop some of the apps afresh but in PHP/MySQL to be web based ideally
towards SaaS.
Your article was very insightful, could you complete it soon the part about Saas Apps hosting please? I basically want to host the app, have already developed some
sort of a web licensing app but hosting it is a bit of a challenge. And i also
have some small test modules in PHP but also hosting for each client is needed.
I had already taken option 2 plan in design and i am so impressed had thought
right in my design – exactly how you explained here.
I eagerly await the hosting part of your SaaS article please.
Thanks
EM
- Anant Garg
  Yes, will be publishing part 2 on Monday. Do subscribe using the form below to stay up-to-date 🙂
m.zam
Hi Anant,
what is your comment if i’m choosing Option 1 for my database but i’m creating multiple unique data tables for each user except for those tables which are generally use by the application for all user (normally the configuration tables) such as user_profiles table.
Each user tables will have the prefix of related user_id.
your comments is very much appreciated
thanks
Franko
Thank you very much. Cant wait to see second part of this series. I’m starting from scratch to build SaaS base web app. And don’t have much experience doing this. This is very helpful.
- Anant Garg
  Have a look at: http://anantgarg.com/2013/06/17/amazon-beanstalk-php-hosting-database-versioning-for-saas/
Shaik Naushad
hey anant
do try to release the next part as soon as possible
lnjklkl
hkjhkj
Chintan Parikh
hi anant,
I have been following you blog for long time.I loved the php MVC framework you did earlier.
Is it Possible to use same framework for SaaS?
And can you help me with redirect using .htaccess for *.dummyapp.com
Here is code from you framework
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?url=$1 [PT,L]
How can I rewrite this to something like index.php?subdomain=&url=$1?
Thanks
Liezel Apundar
Thank you very much!! this is exactly what i’m looking for!! 😀
you’re the best! 🙂
Rakesh
that was nice and what i was looking for how to build a SaaS cloud application….. Thank you…!!!! release next discussion early….
Arold Jacques
Wow thanks for posting this SaaS tut, much needed anant. Will be following up for the remaining part cool.
Anas
Thank you very much!
stevebobby
Love what you’ve done so far, looking foward to reading the next step.
Matt
Really, really nice article. I hope you won’t forget to make the other two parts 🙂
Seraph
THX you made my day 😀
Mojotaker
This is Gold. You should get Paid for info like this.. Very simple explanation, short and to the point. Thank your for your awesome time, Site, and of course Knowledge.
If you do have time, Can you give us another post like this that covers this same thing but with single page javascript applications, that resolves issues of cross domain ajax requests, authentication, and send security token through custom headers (csrf protection). Thank you
pulsarcoder
Very essential tutorial that you presented with a clean and clear way. thanks a lot.
Kiranbabu Sannapu
can i do this in codegnitor php framework.
Sukanta Ranasingh
This Post was valuable for SAAS application. Can you post the next for Setting DNS, Hosting and other?
Rajaa T
nice article , waiting for next article
Sandeep Kumar
I was looking for donation buttons when I read this. Its wonderful tutorial and saved my huge time.
German
When is part 2?
alimnios
Waiting for part 2…
judge jos
seriously using mysql_query ???
Brijesh
Which file should i edit in codeigniter? config.php or database.php
nabberuk
If the users table is in a different database how do you check it for permissions etc when the user is using the app?
bilalshareef
Good Article. It would be great if next post with DNS configuration is released.
Damian
hghg
kamil khan
Very few articles on the net explain these basic architecture of SaaS with such simplicity .. Great post Anant..
m,sdnf
hello
m,sdnf
kuch dhang ka bhi bta diyo karo
m,sdnf
abe bol na
Mark Railton
My eyes are bleeding from looking at this, do not – EVER – use mysql_connect. It is horrible insecure, offers no additional protection like param binding and is just inefficient as all hell. For creating any new application you should be using PDO which is faster and offers a ton of security from the offset.
- Kishor Kurian
  This was probably written when mysql_* functions werent deprecated.
  - Mark Railton
    It was written in the middle of 2013, the mysql_ functions may not have been deprecated then, but at that point it was widely known that mysql_ functions was a very bad way to program.
    - seTweaks
      The article is focused on structuring a simple SaaS, not coding practices.
      - Kishor Kurian
        Yes, it focusses on structuring a SaaS system, but code with deprecated funtions might make the readers think its good to go. Just making my point here. Not saying its anyones fault.
      - Mark Railton
        And that excuses using vulnerable code that is known to cause security issues?
      - Iuli Dercaci
        This is not an excuse for that but also not the real reason to show off and scream like a sick kid “my eyes ..” , simply say that this code should not be used in production because of … and so on
Michel Many
Where’s the part 2 ?
sdsadsads
dsaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
ocean2farhan
Great Article. Helped me with the basics of a SAAS Site
Katty GRANDA
Hello,
I search a solution to create a SaaS application…but based on a CMS (Drupal , WordPress, Typo3, EzPublish,…or other?).
it will allow me to develop my application with little technical knowledge I have …
Do you know if it is possible?
Katty GRANDA
it’s OK!
I found how to begin my SaaS application easily with only a CMS and an “all in one” plugin to do it (and 75$ to buy the plugin…) but with no dev.
Now I ‘ll finally be able to test my business concept without having to make a big investment (Fortunately this is perhaps a lame idea 😉 )
Thanks to Franck R. who had give me the solution.
see you,
Katt.
- Eduardo WB
  Hello Katty. I am surprised that you paid that much to test your business concept! If you are interested in having help with dev and tech stuff, you can contact me. I am always willing to help and exercise knowledge together and know about new ideas. Good luck with your projects 🙂
  - Justin Martin
    hi Edwardo i could really use this kind of help right now
    - Eduardo WB
      Let´s get in touch then Justin.
      - Justin Martin
        thank you, that will be amazing, my email is [email protected]
  - Daljeet Singh
    Hi Eduardo, I want to connect with you in regards to the SaaS model building for a standalone web application. My email is [email protected].
    - Eduardo WB
      Hello. I tried to send an e-mail to you but it says the mailbox is unavailable. You can reach me at eduwb88[at]gmail[dot]com
sagar
how to create subdomain dynamically ? means when user registers and successful then we need to create a subdomain url for him how to create that using code?
- Isaac Hernández Cabrera
  Hi, did you find a way to create subdomain dynamically ?
Usama Lucky
Can you please give me the link of 2nd part i can not find it
Eduardo WB
Thanks for sharing and pointing the workflow. Now waiting for the next parts.
szaboolcs
Hey, ok I saw that it’s an old article but when i was reading and reading and i suddenly saw a horrible thing in the 23th row I thought that I jump out across the window… Man.. .mg this is a really big sql injection fault? I hope it is just a really bad joke!
Vasim
this is an awesome article on SaaS, but how is it different than a normal web application ? what is it specific to be called as SaaS ?
John zenith
Well, I think this post has explained to a bit, how to implement a SaaS web app, with an easy to follow workflow. Howbeit the code here should never be used on a production site for any reason, it has lots of security weaknesses.
Shapiro Ezekiel
This has given a general overview of saas concepts but on production scale, there is more caution to be taken for security.
devendra choudhary
can you please give me link?
devendra choudhary
can you please give me second part link?
Hamid Abbasi
Thanks ANANT, This is very helpful post, but what was the rest of it?
I need it, because your describe is very simple to understand, you are amazing author…
george samy
5 years later and you haven’t written the rest of the article..
- Justinas Beinorius
  He will come back, maybe.
- Alex Monte
  waiting anxiously
- rublu tv
  He died guys, Rest in Peace 🙁
  - Amit Mhaske
    Is is true or its just your assumption?
L’ Mondayrris
Amazing author, where are you