PHP

Advanced

API

Backend

Building Your First REST API with PHP

February 28, 2025

12 min read

🚀 Introduction

If you want to build modern backends, mobile apps, dashboards, authentication systems, or connect your website to a database… you must understand REST APIs.

A REST API allows different software to talk to each other through simple URLs and JSON. And the best part? PHP — yes, the same language powering WordPress — is still one of the easiest and fastest ways to build an API.

By the end of this guide, you'll know how to:

✔ Build your first REST API
✔ Return clean JSON responses
✔ Connect to a database
✔ Handle GET, POST, PUT & DELETE
✔ Understand API structure
✔ Avoid beginner mistakes

Let's begin.

🧠 What Is a REST API?

A REST API (Representational State Transfer) is a structured way for clients (web apps, mobile apps, other servers) to request or send data using standard HTTP verbs:

GET → retrieve data
POST → create data
PUT/PATCH → update data
DELETE → remove data

The server responds using JSON, the universal data format.

Example response:

{
  "success": true,
  "message": "User created successfully"
}

If you can return JSON → you can build APIs.

🧰 What You Need Before Starting

✓ PHP 7.4+ (8.0 recommended)
✓ Apache or Nginx
✓ MySQL or MariaDB
✓ Postman or Thunder Client (for testing)
✓ Basic PHP knowledge

Folder example:

/api
   /v1
      index.php
      users.php

Simple and effective.

📦 Step 1 — Create Your API Folder

Inside your project or localhost:

mkdir api
cd api
mkdir v1

Inside api/v1, create:

index.php
users.php

index.php will act as a router for now.

🔧 Step 2 — Enable JSON Output

Inside index.php:

<?php
header("Content-Type: application/json; charset=UTF-8");

echo json_encode([
    "status" => "online",
    "message" => "API is running!"
]);

Visit:

http://localhost/api/v1/index.php

You've just created your first API response.

🗃️ Step 3 — Connect to the Database

Create a file db.php:

<?php

$host = "localhost";
$user = "root";
$pass = "";
$db   = "rest_api";

$conn = new mysqli($host, $user, $pass, $db);

if ($conn->connect_error) {
    die(json_encode([
        "success" => false,
        "error" => $conn->connect_error
    ]));
}

Then include it in users.php:

<?php
header("Content-Type: application/json");
require_once "../db.php";

You now have database access.

👤 Step 4 — Build Your First GET Endpoint

Inside users.php:

if ($_SERVER["REQUEST_METHOD"] === "GET") {

    $result = $conn->query("SELECT * FROM users");

    $users = [];
    while ($row = $result->fetch_assoc()) {
        $users[] = $row;
    }

    echo json_encode([
        "success" => true,
        "data" => $users
    ]);
}

Call:

GET /api/v1/users.php

Your API returns all users!

📝 Step 5 — Create a POST Endpoint (Add User)

Add this under the GET block:

if ($_SERVER["REQUEST_METHOD"] === "POST") {

    $data = json_decode(file_get_contents("php://input"), true);

    $name  = $conn->real_escape_string($data["name"]);
    $email = $conn->real_escape_string($data["email"]);

    $conn->query("INSERT INTO users (name, email) VALUES ('$name', '$email')");

    echo json_encode([
        "success" => true,
        "message" => "User created!"
    ]);
}

Send POST JSON:

{
  "name": "John Doe",
  "email": "john@example.com"
}

User created.

🛠️ Step 6 — Add Update (PUT) Endpoint

if ($_SERVER["REQUEST_METHOD"] === "PUT") {

    $data = json_decode(file_get_contents("php://input"), true);

    $id    = intval($data["id"]);
    $name  = $conn->real_escape_string($data["name"]);
    $email = $conn->real_escape_string($data["email"]);

    $conn->query("UPDATE users SET name='$name', email='$email' WHERE id=$id");

    echo json_encode([
        "success" => true,
        "message" => "User updated!"
    ]);
}

🗑️ Step 7 — Add Delete Endpoint

if ($_SERVER["REQUEST_METHOD"] === "DELETE") {

    $data = json_decode(file_get_contents("php://input"), true);
    $id = intval($data["id"]);

    $conn->query("DELETE FROM users WHERE id=$id");

    echo json_encode([
        "success" => true,
        "message" => "User deleted!"
    ]);
}

CRUD completed.

🧪 Step 8 — Test Everything

Open Postman or Thunder Client:

GET all users

GET /api/v1/users.php

Create a user

POST /api/v1/users.php

Body → JSON

{ "name": "Alice", "email": "alice@email.com" }

Update a user

PUT /api/v1/users.php

{ "id": 1, "name": "Alice Updated", "email": "alice@updated.com" }

Delete a user

DELETE /api/v1/users.php

{ "id": 1 }

Everything should now work smoothly.

🛡️ Security Improvements (Real-World Best Practices)

To upgrade this API to professional level:

🔐 1. Add API Keys

Block requests without a valid key.

🛑 2. Use Prepared Statements

Prevent SQL Injection.

🚧 3. Add Rate Limiting

Stop brute force and spam.

🌍 4. Use Routing Libraries

Slim Framework or Laravel.

🪪 5. Add User Authentication

JWT or sessions.

📦 6. Validate All Input

Never trust user data.

🧱 Folder Structure (Recommended)

/api
   /v1
      /controllers
      /models
      index.php
      users.php
   /config
      db.php

Scalable and clean.

🌐 Turning Your API Into a Real Product

Once your REST API is working, you can use it to power:

Mobile apps (Flutter, React Native)
Web dashboards (React, Vue)
Authentication systems
Ecommerce
SaaS products
Internal tools
Game backends

A simple PHP API can grow into a full startup.