The Modular PHP Experiment: How We Built Signelli Without a Framework

Building Modular PHP Applications: A Deep Dive into the Signelli Architecture

How we built a scalable email signature platform using modern PHP practices and modular design patterns

---

The Challenge: Beyond the Monolith

When we set out to build Signelli, our professional email signature generator, we faced a familiar crossroads. We could have reached for a heavyweight framework like Laravel or Symfony, or gone with a trendy JavaScript-heavy stack. Instead, we chose to build a lean, modular PHP application from scratch—not because it was easier, but because it offered us complete control over every architectural decision.

This post isn’t about selling you on Signelli (though it’s pretty cool). It’s about sharing the technical decisions and modular patterns that make it tick, serving as a proof of concept for building modern PHP applications without framework bloat.

Architecture Overview: MVC Without the Weight

At its core, Signelli follows a classic MVC pattern, but implemented with surgical precision:

/public_html
    ├── index.php           # Single entry point
    ├── .htaccess          # Clean URL routing
    ├── /app
    │   ├── /controllers   # Request handlers
    │   ├── /views         # Presentation layer
    │   └── /models        # (Future: Data models)
    └── /includes
        ├── config.php     # Configuration
        ├── Database.php   # Database abstraction
        ├── functions.php  # Helper utilities
        └── init.php       # Bootstrap

The Router: Simple Yet Powerful

Our routing system lives entirely in index.php, using PHP’s native regex capabilities:

$routes = [
    'GET' => [
        '/' => 'HomeController@index',
        '/editor/([0-9]+)' => 'EditorController@edit',
        '/templates' => 'TemplateController@index',
    ],
    'POST' => [
        '/login' => 'AuthController@login',
        '/editor/save' => 'EditorController@save',
    ]
];

No heavy routing libraries. No annotations. Just a simple array that maps URLs to controller methods. The beauty? It’s immediately understandable and debuggable.

Modular Components: Building Blocks of Flexibility

1. Database Abstraction Layer

Instead of an ORM, we built a lightweight PDO wrapper that provides just enough abstraction:

class Database {
    private static $instance = null;
    private $connection = null;
    
    public static function getInstance() {
        if (self::$instance === null) {
            self::$instance = new self();
        }
        return self::$instance;
    }
}

This singleton pattern ensures connection efficiency while keeping database operations clean and prepared-statement safe. No query builders, no magic—just secure, performant SQL.

2. Authentication System

Our authentication module showcases defensive programming at its finest:

• Password hashing: BCrypt with cost factor 12
• CSRF protection: Token-based with session binding
• Session management: Secure cookie settings, httpOnly flags
• Remember me: Separate token table with expiration

function verify_csrf_token($token) {
    return isset($_SESSION[CSRF_TOKEN_NAME]) && 
           hash_equals($_SESSION[CSRF_TOKEN_NAME], $token);
}

Notice the hash_equals()? That’s protection against timing attacks—the kind of detail that matters in production.

3. Template Engine (Without the Engine)

For email signature templates, we avoided heavy template engines. Instead, we use a simple placeholder system:

$html = str_replace('{{full_name}}', $userData['full_name'], $template);

Why? Because email signatures need to be lightweight HTML that works everywhere. No JavaScript, no complex rendering—just clean, compatible markup.

4. Graceful Feature Flags

The codebase elegantly handles features in development:

if (getUserPlan($userId) === 'pro') {
    // Pro features
} else {
    // Gracefully degrade
}

This allows us to deploy incomplete features safely, test in production, and roll out gradually.

Security First: Defense in Depth

Security isn’t an afterthought—it’s woven throughout:

1. Input Sanitization: Every user input passes through sanitize()
2. SQL Injection Prevention: Prepared statements everywhere
3. XSS Protection: HTMLspecialchars with ENT_QUOTES
4. Path Traversal: No user input in file operations
5. Rate Limiting: Built-in hooks for future implementation

function sanitize($input) {
    return htmlspecialchars(trim($input), ENT_QUOTES, 'UTF-8');
}

Performance Optimizations

Without framework overhead, Signelli is blazingly fast:

• Lazy Loading: Database connects only when needed
• Minimal Dependencies: No Composer autoloader overhead
• Efficient Routing: O(n) route matching with early termination
• Smart Caching: Browser caching for static assets

The entire application bootstraps in under 10ms on modest hardware.

Modular JavaScript Integration

The frontend follows the same philosophy—vanilla JavaScript modules that enhance, not hijack:

function updateSignaturePreview() {
    // Direct DOM manipulation
    // No virtual DOM overhead
    // No framework abstractions
}

Each page loads only the JavaScript it needs. No bundles, no webpack—just clean, fast code.

Deployment & DevOps Considerations

The modular architecture makes deployment straightforward:

1. Environment-based Config: Single config file switches between dev/prod
2. No Build Step: Upload and run
3. Database Migrations: Simple SQL files (coming soon)
4. Error Handling: Graceful degradation when services unavailable

Lessons Learned

Building Signelli taught us several valuable lessons:

What Worked Well

• Simplicity scales: Our “boring” PHP stack handles load beautifully
• Modularity pays off: Features can be added/removed without touching core
• Vanilla is viable: You don’t always need React/Vue/Angular
• Security by design: Building security in from day one is easier than retrofitting

Trade-offs We Made

• No ORM: More SQL to write, but complete query control
• No Template Engine: Less abstraction, but better email client compatibility
• Manual Routing: More verbose, but immediately understandable
• Limited Dependencies: More wheel reinvention, but zero dependency hell

The Proof in the Pudding

Signelli demonstrates that modern PHP applications don’t need massive frameworks. With thoughtful architecture and modular design, you can build:

• Secure applications (CSRF, XSS, SQL injection protection)
• Scalable systems (clean separation of concerns)
• Maintainable codebases (clear structure, minimal magic)
• Performant solutions (sub-second page loads)

Technical Takeaways

For developers considering a similar approach:

1. Start with structure: Define your directory layout before writing code
2. Build abstractions gradually: Don’t over-engineer early
3. Prioritize security: It’s harder to add later
4. Keep it debuggable: Avoid magic that obscures flow
5. Document intentions: Your future self will thank you

Looking Forward

Signelli’s architecture positions us well for future enhancements:

• API Layer: RESTful endpoints using the same controllers
• WebSocket Support: Real-time preview updates
• Plugin System: Third-party integrations
• Multi-tenancy: Enterprise team support

Each can be added as a module without restructuring the core.

Conclusion: Sometimes Boring is Beautiful

---

Signelli is currently in active development at signelli.com. This project showcases LXB Studio’s approach to building performant, secure, and maintainable web applications using proven technologies and thoughtful architecture.

---

Want to discuss modular PHP architectures or have questions about our approach? Contact our development team to start a conversation about building better web applications.