• ■ The following projects come with absolutely no warranty of any kind.
  • ■ Whatever you do with this information is your own responsibility.
  • ■ Made for research and fun. Nothing else.
  • ■ All third-party git hosts are only used exclusively as a means to distribute the projects and are NOT the original development repos.

// Blazing fast and unobtrusive MVC framework for PHP7+
Table of Contents
What is pocket_php?

Pocket_php is an MVC framework for PHP7+ that emphasizes performance and simplicity. By abstracting away many of PHP7's shortcomings and implementing an MVC design pattern, the framework provides a safer development and production environment with virtually no performance costs. The entire source code can be read in twenty minutes and was designed with extensibility and mutability in mind to fit any given project that would otherwise require deep modifications of unnecessarily large "solutions" or for the programmer to write generic code that could be prone to security flaws.

It is primarily built for the NGINX server to take full advantage of its scalability and performance, allowing fully featured web projects to be run on budget hardware. A largely unexploited benefit of modern VPS providers that goes ignored due to the bloated minimal requirements of the modern backend libraries we've (erroneously) learned to depend on.

Pocket_php is particularly well suited for hidden services running on budget hardware!

  • ■ MVC implementation automatically limits client access to controller files
  • ■ Non-intrusive HTML templating engine
  • ■ Fully featured session manager with php.ini independent timeout and expiration controls
  • ■ User input sensitization
  • ■ Internal IP tracking & banning
  • ■ Cross-platform, runs on anything that can host a web server
  • ■ Included NGINX configuration
  • ■ Scalable and easily modified
  • ■ Tiny code base providing the very essentials
  • ■ 100% independent & efficient CAPTCHA included
  • ■ The lowest performance hit you've seen or your money back
  • ■ It's fucking free
  • ■ MIT Licensed

Although pocket_php can run on any web server that imitates the provided NGINX configuration, pocket_php is developed primarily for nginx.


1. Install PHP8 and NGINX, I recommend installing both through your package manager.

For Arch / Manjaro :

$ sudo pacman -S nginx php php-fpm php-fpm php-sqlite php-gd sqlitebrowser sqlite

2. Clone the POCKET_PHP repository and set the server permissions.

Note that both the webserver and the php-fpm daemon must have read & write permissions on the project folder.

$ git clone https://git.xenobyte.xyz/XENOBYTE/pocket_php/
$ sudo mkdir /var/web_server
$ sudo chown -R username:group /var/web_server_php
$ sudo chmod -R 755 /var/web_server
$ mv -r pocket_php /var/web_server/
$ sudo chown -R username:group /var/web_server/pocket_php
$ sudo chmod -R 755 /var/web_server/pocket_php

3. Configure NGINX.


Web server configuration is a broad topic, the following setup is intended to be customized for it's intended purpose as an example and is only a basic gestalt of what POCKET_PHP requires working. For development environments extra precautions should be taken like using a dedicated user and group combo to isolate NGINX and PHP to their respective working folders only.
This is specially true for (securely) serving through TOR!

As long as your web server of choice respects the simple rules below, pocket_php will work with it.

1. Serve static files directly
2. Redirect everything else to /app/index.php

The provided virtual server file for NGINX also adds a few security filters to keep some static files (such as the internal DB) private. As a side note, there have been some issues with the way php-fpm handles sqlite databases that share the same name but are from independent projects, a very common case when running multiple websites from a single server, simply rename the database file and update the location constant in configure.php.

Though the default NGINX configuration has moved away from the sites-available / sites-enabled directories, they work well enough and will be implementing the NGINX config using this scheme, feel free to change the paths to ones of your liking. Do note that the PHP-FPM user and group must match the ones set for NGINX.

Create the NGINX configuration folder structure, change the permissions and move the included config files.

$ sudo chown -R user:group /etc/nginx/
$ sudo chown -R 755 /etc/nginx
$ mkdir /etc/nginx/ssl
$ mkdir /etc/nginx/sites-enabled
$ mkdir /etc/nginx/sites-available
$ mv /var/web_server/pocket_php/static/text_files/nginx_config /etc/nginx/nginx.conf
$ mv /var/web_server/pocket_php/static/text_files/nginx_pocket_php_vsb /etc/nginx/sites-available/default
$ sudo ln -s /etc/nginx/sites-available /etc/nginx/sites-enabled
$ sudo systemctl restart nginx.service

Uncomment the SSL Settings block and modify the following lines in the included nginx.conf with your own.

ssl_certificate /etc/nginx/ssl/cert.crt
ssl_certificate_key /etc/ngins/ssl/key.key

Then, uncomment the HTTPS ENABLED (and comment out the HTTPS DISABLED) block in sites-available/default.

4. Configure PHP.

The only relevant changes are to the www.conf and php.ini files. However, POCKET_PHP internally modifies some php.ini settings, others must be manually set in php.ini.

In /etc/php/php.ini

- Uncomment the extension=pdo_sqlite and extension=gd
- Change the default session.name (for security reasons)
- Modify the file upload settings to match your application's needs (the settings required are specified in app/configure.php)

Do note that the selected session.name will be referenced in POCKET_PHP!

In /etc/php/php-fpm.d/www.conf

1. Change user and group to match those specified in the NGINX configuration

5. Configure POCKET_PHP.

All the relevant configuration lies in app/configure.php, note that the pocket_php/tools/ directory holds the sqlite database file, the sqlite file itself and the session's management folder must be writable by the web server.

$ mkdir /var/web_server/pocket_php/tools/sessions/
$ sudo chown -R username:group /var/web_server/pocket_php/tools/
$ sudo chmod -R 755 /var/web_server/pocket_php/tools/pocket_php.db

Finally, the configure.php file overrides the php.ini settings that POCKET_PHP depends on, this prevents clashing between virtual servers with different settings and the main php.ini defaults. It's strongly suggested to modify the included configure file instead.

The included website has a user guide section. However, due to the code base being so small, it is recommended to simply give it a quick read. The example site will be continuously updated with example usages of pocket_php's features.
Home and Settings

Demo login system
F.A.Q. / Troubleshooting
POCKET_PHP isn't honoring the changes made to the php-fpm.ini file
One of PHP's more annoying limitations is how the php.ini configuration file is global to its respective php-fpm process. To work around this issue and support multiple different php configurations on the same server, please refer to the configure.php file which overrides all internal pocket_php settings in the php.ini file.

The sqlite database can't be opened.
NGINX requires both read and write permissions for both the database and the folder it resides in.

Can I change the database?
Simply add the connection parameters to configuration.php and the desired interface to /core/database.php.

The specified timezone / locale isn't working.
Both timezone and locale settings in PHP are dependent on the those installed in the host system.
Use the "locale -a" command to get the available locales and their correct names, to install new ones uncomment them in your local /etc/locale.gen and run locale-gen to enable them.

What was the motivation behind pocket_php?
Current trends in web frameworks are to take the idea of having an initial basis for a project to the extreme by trying to provide far more than it is required of them. Some of the more criminal examples out there (they know who they are) even outright ignore the ever-growing size of their already unnecessarily massive code base. Probably because the vast majority of the userbase don't even read the code they run.
At XENOBYTE we believe that PHP would greatly benefit from a proper MVC implementation, so here it is.

What is the project's license? Do I have to pay or credit you in any way?
The project is MIT licensed and free. You don't have to credit me at all.
For more information regarding development plans, updates and announcements, please visit the pocket_php devlog.

* ver 2.2 [ 02/10/2021 ] <-- CURRENT STABLE VERSION

- Reworked the TemplateEngine to keep track of the content stack and send it in a single, uninterrupted call to render()
- The stack is filled using addFile() & addString()
- replaceVariables() from core/utility.php reworked to replaceValues()
- Added directory creation and deletion helper functions
- Commented out geoIP tracking by default

* ver 2.1 [ 19/06/2021 ]

- Sessions can now be toggled in app/configure.php
- Added many php.ini overrides to app/configure.php
- The account table in the included database was expanded to encapsulate more session meta-data
- Sessions can now be safely hijacked without logging out
- Account data now stores the last way in which the user logged out
- Session files are now stored in tools/sessions to prevent clashing with other virtual servers
- Session files can now be deleted by POCKET_PHP's session manager
- New settings to customize session behavior in app/configure.php

* ver 2.00 [ 31/05/2021 ]

- Restructured HTTPRequest->arguments into HTTPRequest->GET & HTTPRequest->POST
- GET is always filled with the url arguments, POST is only filled if the request is a POST one
- Added responsiveness to the site's style
- Updated the sites_available config with input file size cap
- Updated user guide

* ver 1.53 [ 23/04/2021 ]

- Forced the login form to be POST only
- Added a check to tell login page requests from GET login attempts

* ver 1.52 [ 21/04/2021 ]

- Cleaned the captcha function and added more customization settings to configure.php

* ver 1.5 [ 16/04/2021 ]

- Added a captcha generator to secure forms
- $_SESSION["login_captcha"] is reserved for the internal login service
- Captchas are generated by app/controllers/getCaptcha.php
- Updated the included site user guide

* ver 1.4 [ 26/01/2021 ]

- Updated README, purged deprecated files

* ver 1.33 [ 05/11/2020 ]

- Updated the included nginx.conf
- Changed comments to point to XENOBYTE.XYZ

* ver 1.3 [ 27/07/2020 ]

- Added timeout and max session duration features to the session manager
- Redesigned the demo site
- Added return type specifiers and increased interpreter verbosity for increased safety

* ver 1.2 [ 04/04/2020 ]

- Removed the SSL challenge redirects
- Added a redirect for URL/favicon.ico since its still so requested this way
- Defined FAVICON_ICO in configure.php

* ver 1.1 [ 17/03/2020 ]

- Updated the included nginx.conf and virtual server configuration file
- Removed wrongly formatted comments

* ver 1.0 [ 20/02/2020 ]

- Moved the project to a new git
- Removed a few useless files
- Since pocket_php already has a stable release, the git has been reset