For book keeping of my freelance activities I've been using a home made web app since many years. I could have kept using it as it's working fine, but as my activities evolved slightly January was the occasion to take a few days to rewrite a new one reflecting these changes and start afresh a new year. In this article I'll talk about how I've implemented it, and of course share the code for anyone willing to use it.

My previous app was using my old WebBuilder framework and stored data in a MySQL database. Nowadays I'm more and more prone to use SQLite for its simplicity of use, and because it's available in C, PHP and many other languages which cover all my needs. This also allows me to share data easily between my projects. Then I decided to move to that database engine for my new book keeping app.

SQLite databases are single files, conveniently created automatically by the SQLite engine. It means there is nothing to configure or setup, everything can be automated programmatically. Pushing in this direction, I wished to try to make the app as one single file, without dependencies, whose installation procedure reduced to copying that single file on a PHP server. My previous apps ReflectanceEditor or ColorBlind are also built that way. However the book keeping web app is more complex and I needed to pack all the PHP, HTML, CSS, Javascript into one file, which was a bit of a concern but I gave it a try anyway. Of course it also forbids external assets like images but I'm fine with a simplistic UI.

Compare to years when I was working as a photographer in addition to software developer, with stocks to manage, several providers and customers, my current activities focus only on programming and have become incredibly simple from the accounting point of view. Taking advantage of it, plus limiting functionalities to the strict minimum, I could code it in around 700 lines (without comments), which seems to me reasonable. I'm not particularly demanding regarding to the user experience, and the app as it is now would certainly not fit an intensive business. Nevertheless, as a test I could smoothly and swiftly reproduce all my accounting for the past year and prepare this year tax declaration. Thus it's definitely good enough for some real use cases at least, and there is still room left for improvements before that single file becomes an unreadable monster.

I consider the "just copy one file" goal as a success despite two issues. First, as I said the database is automatically created by the PHP script. This requires the folder in which the app is installed to be writable by the account running the app. On a public web server that should be the case and you should have nothing to do here. However the server configuration may also be set up differently, in which case you'll have to edit permissions manually. On my rental web server and the LAMP stack of my Manjaro machine I had nothing to do. On the LAMP stack of my Fedora machine I had to fight with the permissions.

Second, the app is protected by a password, its API by a token system and the database filename is obfuscated. Contrary to the first two points which do not require any manual setup, I can't think of a way to automate the obfuscation. If you have an idea, let me know! Instead I've choosen to require the manual setting of a variable in the PHP script before uploading it to the server. So, not 100% "just copy one file", but near enough!

The file has four sections: the PHP script, the CSS section, the HTML section, and the Javascript script. The PHP script implements the API, the interaction with the database, and controls the creation of the DOM. The CSS defines the style of all the DOM elements. The HTML section contains the static DOM. Finally, the Javascript script responds to the user interaction with the app, processes it via HTTP requests to the API, and updates the DOM as necessary.

The PHP script contains one class which is instanciated globally at the end of the PHP section.

... class Kaikeibo { ... } // Create the Kaikeibo instance $kaikeibo = new Kaikeibo(); ...

The class instanciation consists of initialising some properties, checking that the obfuscation parameter has been set, and opening the connection to the database. That connection is closed upon destruction of the instance. Properties are: login and token, obfuscated path to the database, operating mode (login or app), and the description of the database model.

... // Constructor function __construct() { // Initialise the logged in info $this->login = ""; $this->token = ""; // Initialise the operating mode $this->opMode = 0; // Obfuscation parameter for the database name, set this parameter to a // strong password before uploading this app to a web server $this->dbObfuscation = ""; // Check that the obfuscation parametr is set if($this->dbObfuscation == "") { echo "The obfuscation parameter for the database hasn't been set. " . "Set it before using Kaikeibo."; exit(0); } // Set the path to the database, it is located in the same folder as the // php script, this folder must have reading and writing permission for // the account executing the script $this->pathDb = dirname(__FILE__) . "/kaikeibo." . $this->dbObfuscation . ".db"; // Database model definition $this->dbDef = array( 'User' => array( 'Login' => 'TEXT', 'Password' => 'TEXT', 'Token' => 'TEXT', 'Expiration' => 'DATETIME'), 'Category' => array('Label' => 'TEXT UNIQUE'), 'Source' => array('Label' => 'TEXT UNIQUE'), 'Transact' => array( 'Date' => 'DATE', 'Value' => 'INTEGER', 'Label' => 'TEXT', 'Type' => 'INTEGER', // 0: Debit, 1: Credit 'RefCategory' => 'INTEGER REFERENCES Category(Reference)', 'RefSource' => 'INTEGER REFERENCES Source(Reference)') ); // Try to open the database, on first access it creates it try { $this->db = new SQLite3($this->pathDb); } catch(Exception $e) { echo "<div class='divTile'>Exception caught:<br>" . nl2br($e) . "</div>"; } } // Destructor function __destruct() { // Close the database connection if it's opened if($this->db) $this->db->close(); } ...

Right after the instanciation, the script checks if it responds to an API request, indicated by the presence of a POST variable. If that's the case, it processes the API request and stops here to avoid the following sections to pollute the API response. Else, it executes the main function to run the app.

... // Process the eventual API request if(isset($_POST['action'])) { $kaikeibo->API(); // When responding as an API, stop the script execution here to avoid the // DOM to be sent and mess up the API response exit(0); // Else, call the main function } else { $kaikeibo->Main(); } ...

The main function ensures the database is ready to use, then check if the user is logged in to set the operating mode that will control the construction of the static DOM in the HTML section.

... // Main method function Main() { try { // Check if the database is ready to use $this->CheckDb(); // Check if we are logged in and set the operating mode if($this->CheckLogin()) $this->opMode = 1; else $this->opMode = 0; } catch(Exception $e) { echo "<div class='divTile'>Exception caught:<br>" . nl2br($e) . "</div>"; } } ...

On the first connection an empty database will have been automatically created during class instanciation. Checking the database simply consists of looping through the database definition and creating missing tables. This becomes useless from then on, but doesn't concern me much: the model is super small and the page load, and so the useless database checks, only occurs when the user accesses the app and login.

... // Ensure the database is ready to use function CheckDb() { // Loop on the tables in the database definition foreach ($this->dbDef as $table => $tableDef) { // If the table doesn't exist, create it $sql = 'CREATE TABLE IF NOT EXISTS ' . $table; $sql .= ' (Reference INTEGER PRIMARY KEY'; foreach ($tableDef as $field => $fieldDef) { $sql .= ', ' . $field . ' ' . $fieldDef; } $sql .= ')'; $this->db->exec($sql); } } ...

The CheckLogin method has three roles. It saves the login information if it's the first time the app is used. It checks if the login information matches the info in the database if it's not the first time the app is used. And it prepares the token and expiration date for secure communication with the API. In the code below the expiration date is set to one hour after the login. The shorter the more secure, but the less convenient (the user has login again).

Here I use a single user model, as it simplifies greatly the app. For multi-users, first an additional user creation feature is necessary and it must ensure that the user creation is legit, and data in the database must be managed per user instead of globally. In my implementation, the user is supposed to login soon after the app is installed. In the improbable event of a malicious user login in before the legit user, the database would be necessarily empty and the legit user would notice he/she can't login (except if the malicious user has initialised the login info with those the legit user intended to use, but ...).

... // Check if a login has been defined function HasUser() { // Count the users, if there aren't the login hasn't been defined yet $rows = $this->db->query("SELECT COUNT(*) FROM User"); return ($rows && $rows->fetchArray()[0] == 1); } // Process the data submitted from the login page function CheckLogin() { // Variable to memorise if the login has been successful $isLogin = false; // Sanitize the submitted data if(isset($_POST["login"]) && isset($_POST["pwd"]) && $_POST["login"] != "" && $_POST["pwd"] != "") { // If the login has been set if($this->HasUser()) { // Check the login data $stmt = $this->db->prepare( "SELECT Password FROM User WHERE Login=:login"); $stmt->bindValue(":login", $_POST["login"], SQLITE3_TEXT); $rows = $stmt->execute(); if($rows) { $hashPwd = $rows->fetchArray(); if($hashPwd) { $isLogin = password_verify($_POST["pwd"], $hashPwd[0]); } } // Else, the login hasn't been set yet } else { // Set the login data with the submitted data $hashPwd = password_hash($_POST["pwd"], PASSWORD_DEFAULT); $stmt = $this->db->prepare( "INSERT INTO User (Login, Password) VALUES (:login, :pwd)"); $stmt->bindValue(":login", $_POST["login"], SQLITE3_TEXT); $stmt->bindValue(":pwd", $hashPwd, SQLITE3_TEXT); $stmt->execute(); $isLogin = true; } // If the user is logged in if($isLogin) { // Set the token and its expiration date $this->login = $_POST["login"]; $this->token = password_hash($_POST["pwd"], PASSWORD_DEFAULT); $stmt = $this->db->prepare( "UPDATE User SET Token=:token, Expiration=:expiration " . "WHERE Login=:login"); $stmt->bindValue(":login", $_POST["login"], SQLITE3_TEXT); $stmt->bindValue(":token", $this->token, SQLITE3_TEXT); $expiration = date('Y-m-d H:i:s', strtotime('+1 hour')); $stmt->bindValue(":expiration", $expiration, SQLITE3_TEXT); $stmt->execute(); } } return $isLogin; } ...

The API method checks the token to validate the request, then route the request toward the appropriate method.

// Entry point for the API function API() { try { // If the API request is valid per its token and expiration date if($this->CheckToken()) { // Route the API request to the appropriate method if($_POST['action'] == 'add' || $_POST['action'] == 'remove') { $this->AddRemoveCategorySource(); } else if($_POST['action'] == 'getList') { $this->GetListCategorySource(); } else if($_POST['action'] == 'addTransaction') { $this->AddTransaction(); } else if($_POST['action'] == 'deleteTransaction') { $this->DeleteTransaction(); } else if($_POST['action'] == 'getTransactions') { $this->GetTransactions(); } else { echo '{"actionResult":"invalid_action"}'; } } else { echo '{"actionResult":"token_expired"}'; } } catch(Exception $e) { echo '{"actionResult":"exception_caught"}'; } }

The token verification consists of comparing the token sent with the request and the token currently recorded in the database, and checking that the current date is before the expiration date.

// Check the validity of a token of an API request function CheckToken() { // Check the token is expected one and the expiration date hasn't expired if(isset($_POST['login']) && isset($_POST['token'])) { $stmt = $this->db->prepare( "SELECT COUNT(*) FROM User WHERE Login=:login AND Token=:token AND " . "Expiration>='" . date('Y-m-d H:i:s') . "'"); $stmt->bindValue(":login", $_POST["login"], SQLITE3_TEXT); $stmt->bindValue(":token", $_POST["token"], SQLITE3_TEXT); $rows = $stmt->execute(); if($rows && $rows->fetchArray()[0]) return true; } return false; }

The other methods used to process the API requests are just interfaces to the respective SELECT, INSERT, DELETE and UPDATE SQL commands, and return in JSON format success/failure and necessary information for the Javascript to update the DOM. For tables 'Category' and 'Source', which are identicals in structure, I commonalised the code, while the commands for the 'Transact' table are implemented in their own methods. I only show the add/remove method for Category/Source below, check the whole code at the end for the other methods.

Before removing a category or source I manually check that it isn't used by some transactions. It could be simplified by using foreign key constraints in the database model definition. However the support for foreign key isn't guaranteed (it's available only from version 3.6.19 and can be disable). So I leave it like that. See this link for more information.

// Process an API request for addition/removal of a category or source function AddRemoveCategorySource() { try { // Sanitize input (others are protected by bind()) if($_POST['tgt'] == "Category" || $_POST['tgt'] == "Source") { // Ensure there is no double quote in the labels $_POST['lbl'] = str_replace('"', ' ', $_POST['lbl']); // If we are adding if($_POST['action'] == 'add') { // Prepare the statement for adding $stmt = $this->db->prepare( "INSERT INTO " . $_POST['tgt'] . " (Label) VALUES (:lbl)"); // Else, if we are removing } else if($_POST['action'] == 'remove') { // Check if there are no transaction using that category or source $stmt = $this->db->prepare( "SELECT COUNT(*) FROM Transact, " . $_POST['tgt'] . " WHERE Transact.Ref" . $_POST['tgt'] . "=" . $_POST['tgt'] . ".Reference AND " . $_POST['tgt'] . ".Label=:lbl"); $stmt->bindValue(":lbl", $_POST['lbl'], SQLITE3_TEXT); $rows = $stmt->execute(); // If that category or source is used, avoid removing it if($rows && $rows->fetchArray()[0]) throw new Exception("Category or Source used by a transaction"); // Prepare the statement for removing $stmt = $this->db->prepare( "DELETE FROM " . $_POST['tgt'] . " WHERE Label=:lbl"); } // Bind and execute the statement $stmt->bindValue(":lbl", $_POST['lbl'], SQLITE3_TEXT); if($stmt->execute() == false) throw new Exception('execute failed'); // Create the response echo '{"actionResult":"ok", "action":"' . $_POST['action'] . '", "table":"' . $_POST['tgt'] . '", "label":"' . $_POST['lbl'] . '"}'; } else throw new Exception("Invalid table"); } catch (Exception $e) { echo '{"actionResult":"no", "action":"' . $_POST['action'] . '", "table":"' . $_POST['tgt'] . '", "label":"' . $_POST['lbl'] . '"}'; } }

The CSS section has nothing noticeable. It's my trademark 'grey, yellow, blue' usual theme. The HTML section has three parts: a common one containing a simple title and footer, and two others containing the static DOM for the login page and the app main, and single, page. Which of the last two is used is controlled by the PHP script via conditional HTML.

<html> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width,initial-scale=1"> <style> ... </style> </head> <title> Kaikeibo </title> <body> <div id="divMain"> <div id="divTitle" class="divRow"> Kaikeibo </div> <?php if($kaikeibo->GetOpMode() == 0) : ?> ... <?php elseif($kaikeibo->GetOpMode() == 1) : ?> ... <?php endif; ?> </div> <div id="divFooter"> Copyright 2023 <a target="_blank" href="https://baillehachepascal.dev">Baillehache Pascal</a>, more info <a target="_blank" href="https://baillehachepascal.dev/2023/kaikeibo.php">here</a> <?php if($kaikeibo->GetOpMode() == 1) { echo ", <a href=\"./kaikeibo." . $kaikeibo->dbObfuscation . ".db\" download>download</a> the database"; } ?> </div> </body> <script> ... </script> </html>

The login page looks like this:

and the app page like this:

The tile on the left allows to add new record, add/delete categories and sources, filter the displayed transactions, and show the total debit/credit/balance for currently displayed transactions. The tile on the right displays the transactions and allows to edit them. There is no explicit logout, the session is active as long as the user uses the app, or until the token expires.

Finally, the Javascript script contains one class instanciated globally on the window.onload event.

... // Kaikeibo class, Javascript side class Kaikeibo { ... } // Variable to memorise the global Kaikeibo instance var kaikeibo = {}; // Handler for the onload event window.onload = function() { // Create the Kaikeibo instance kaikeibo = new Kaikeibo(); ... }

That event also takes care of setting the handlers and initialising displayed values in the DOM in case the user has logged in.

... // If we are logged in if(kaikeibo.login != "") { // Set all the handler in the DOM elem('btnAddTransaction').addEventListener('click', (event) => { kaikeibo.SaveTransaction('');}); elem('btnAddCategory').addEventListener('click', (event) => { kaikeibo.AddRemoveCategorySource("Category", "add");}); elem('btnRemoveCategory').addEventListener('click', (event) => { kaikeibo.AddRemoveCategorySource("Category", "remove");}); elem('btnAddSource').addEventListener('click', (event) => { kaikeibo.AddRemoveCategorySource("Source", "add");}); elem('btnRemoveSource').addEventListener('click', (event) => { kaikeibo.AddRemoveCategorySource("Source", "remove");}); ['fromDate', 'toDate', 'selFilterCategory', 'selFilterSource'].forEach( inp => { elem(inp).addEventListener('change', (event) => { kaikeibo.UpdateListTransactions();}); }); // Send the initial requests to update the DOM kaikeibo.UpdateSelectCategorySource('Category'); kaikeibo.UpdateSelectCategorySource('Source'); kaikeibo.UpdateListTransactions(); } ...

The Javascript class has only two properties: the login and token to execute API requests. These properties are set by the PHP script.

... constructor() { // Set the login info to interact with the API <?php echo 'this.login = "' . $kaikeibo->GetLogin() . '"'; ?>; <?php echo 'this.token = "' . $kaikeibo->GetToken() . '"'; ?>; } ...

Its role is to send HTTP requests to the API according to the user actions and update the DOM according to the API response in JSON format. Beside the main method managing the request, it has some helper methods: to add elements to the DOM, convert data sent to the API from dictionary to form element, and display the 3 most recent messages from the API.

... // Method to create and add a new element AddElem(parent, type, properties) { let elem = document.createElement(type); for (const [prop, val] of Object.entries(properties)) elem[prop] = val; parent.appendChild(elem); return elem; } // Convert a dictionary of data for the API request into a form element // usable by the HTTP request DictToReqData(data) { let reqData = document.createElement("form"); for (const [lbl, val] of Object.entries(data)) this.AddElem(reqData, 'input', {'type':'text', 'name':lbl, 'value':val}); return reqData; } // Format and display an API request result DisplayResultAction(retData) { let msg = retData['action'] + ' of [' + retData['label'] + '] in ' + retData['table']; if(retData['actionResult'] == 'ok') this.PushApiMsg('Successful ' + msg); else this.PushApiMsg('Failed ' + msg); } // Add a message to inform the user of the API requests result PushApiMsg(msg) { // Keep only the 3 most recent messages while(elem('divMsgApi').childElementCount >= 3) elem('divMsgApi').removeChild(elem('divMsgApi').firstElementChild); // Add the message this.AddElem(elem('divMsgApi'), 'div', {'innerHTML':msg}); } ...

The method sending the HTTP requests appends the token information to the request data, sends and waits for the response, and takes care of failures or executes the handler to process successful request.

... // Method to post an API request PostRequest(reqData, handler) { // Prepare the request data by adding the authentication data reqData.setAttribute("method", "post"); let authData = {'login': this.login, 'token': this.token}; for (const [lbl, val] of Object.entries(authData)) this.AddElem(reqData, 'input', {'type':'text', 'name':lbl, 'value':val}); let formData = new FormData(reqData); // Create the HTTP request let xhr = new XMLHttpRequest(); xhr.onreadystatechange = function() { // If the HTTP request is complete and successful if (this.readyState == 4 && this.status == 200) { // Parse the response in JSON format let retData = JSON.parse(this.responseText); // If the token as expired if(retData["actionResult"] == "token_expired") { // Redirect the user to the login page window.location.href = 'kaikeibo.php'; // Else process the response with the handler in argument } else handler(retData); // Else, if the HTTP request is complete and not successful } else if (this.readyState == 4 && this.status != 200) { kaikeibo.PushApiMsg('API request failed.'); // Else, the HTTP request is not complete, wait for completion } }; // Send the request xhr.open('POST', 'kaikeibo.php'); xhr.send(formData); } ...

Other methods then simply call PostRequest with appropriate data from the DOM and appropriate handler for the response. For example, the method for the deletion of a transaction is as follow:

... // Handler for the click event to delete a transaction DeleteTransaction(refTransaction) { // Create the API request data let data = { 'action': 'deleteTransaction', 'ref': refTransaction, 'label': elem('label' + refTransaction).value }; let reqData = this.DictToReqData(data); // Post the API request this.PostRequest(reqData, // Handler for the API request response (retData) => { // Update the DOM this.DisplayResultAction(retData); this.UpdateListTransactions(); }); } ...

In conclusion, this little app rewriting was a useful occasion to refresh my memories about PHP/HTML/SQL/CSS/Javascript, which I don't touch that often nowadays. It took me less than 20 hours, the majority spent searching in the docs about forgotten syntax. No doubt that a sharper mind could have done it in less than a day. I consider the 'monolithic' challenge a success, and I'm definitely willing to reuse this app as a template for some others. The app's code is available here.

Edit on 2023/09/22: Add a link to download the database.