In the modern software landscape of 2025, Software as a Service (SaaS) isn’t just a business model; it’s the default standard for web application delivery. As PHP developers, we are uniquely positioned to build these systems. PHP powers nearly 80% of the web, and with the robust features introduced in PHP 8.2 and 8.3, it is more capable than ever of handling complex, high-concurrency SaaS architectures.
However, moving from a standard single-client application to a Multi-tenant architecture is a significant leap. It requires a fundamental shift in how you handle data isolation, user authentication, and request lifecycles.
In this deep dive, we will move beyond theory. We will architect and build the core of a multi-tenant application using modern PHP, focusing on the “Shared Database, Shared Schema” strategy—the most common approach for startups and growth-stage SaaS products.
What You Will Learn #
- The three pillars of multi-tenant database architecture.
- How to implement automatic tenant resolution via Subdomains.
- Building a
TenantAwaredatabase wrapper using PHP’s PDO. - Security best practices to prevent “Data Leakage” (the #1 SaaS nightmare).
1. The Architecture: Choosing a Database Strategy #
Before writing a single line of code, you must decide how your data will be stored. This decision impacts everything from cost to scalability.
The Three Common Strategies #
| Strategy | Description | Pros | Cons |
|---|---|---|---|
| Database per Tenant | Each tenant gets their own physical database instance (e.g., db_tenant_a, db_tenant_b). |
Maximum isolation; easy backup/restore per client; high security. | High infrastructure cost; complex migrations (updating 1000 DBs). |
| Schema per Tenant | One database, but each tenant has their own schema/namespace tables. | Good balance of isolation and shared resources. | Complexity in ORMs; still requires heavy migration scripts. |
| Shared Schema (Discriminator) | All tenants share the same tables. Rows are separated by a tenant_id column. |
Lowest cost; easiest to scale; tools like Laravel/Symfony support this well. | High risk of data leaks if code is buggy; requires strict global scopes. |
For this guide, we will implement the Shared Schema (Discriminator) strategy. It is the most technically challenging to secure strictly in code, making it the best learning exercise, and it is the most cost-effective for 95% of new SaaS applications.
The Request Lifecycle #
Here is how a typical request flows in our multi-tenant PHP application:
2. Prerequisites and Environment #
To follow along, ensure you have the following installed. We are keeping dependencies minimal to understand the core logic, rather than hiding it behind a framework’s magic.
- PHP 8.2+ (We will use Readonly classes and Types)
- MySQL 8.0+ or PostgreSQL
- Composer
- A local web server (PHP built-in server or Docker)
Project Setup #
Create a new directory and initialize Composer:
mkdir php-saas-core
cd php-saas-core
composer init --name="phpdevpro/saas-core" --type=project --require="php:^8.2" -n
composer require vlucas/phpdotenvCreate the following file structure:
/src
/Database
/Model
/Http
/public
index.php
.env3. The Database Layer #
First, let’s establish a connection. In a SaaS app, you rarely just “connect.” You connect on behalf of a tenant. However, since we are using a Shared Schema, the physical connection remains the same, but we must enforce scoping.
The Database Schema #
Run this SQL in your local database to prepare the environment:
CREATE TABLE tenants (
id INT AUTO_INCREMENT PRIMARY KEY,
name VARCHAR(255) NOT NULL,
domain_slug VARCHAR(50) NOT NULL UNIQUE, -- e.g., 'acme'
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
tenant_id INT NOT NULL, -- The Discriminator Column
email VARCHAR(255) NOT NULL,
full_name VARCHAR(255),
FOREIGN KEY (tenant_id) REFERENCES tenants(id) ON DELETE CASCADE
);
-- Seed some data
INSERT INTO tenants (name, domain_slug) VALUES ('Acme Corp', 'acme'), ('Stark Ind', 'stark');
INSERT INTO users (tenant_id, email, full_name) VALUES (1, 'ceo@acme.com', 'Wile E. Coyote'), (2, 'tony@stark.com', 'Tony Stark');The Database Connector #
Create src/Database/DBConnection.php. We will use a singleton pattern for simplicity here, though Dependency Injection is preferred in full frameworks.
<?php
namespace App\Database;
use PDO;
use PDOException;
class DBConnection {
private static ?PDO $pdo = null;
public static function get(): PDO {
if (self::$pdo === null) {
$host = getenv('DB_HOST') ?: '127.0.0.1';
$db = getenv('DB_DATABASE') ?: 'saas_db';
$user = getenv('DB_USERNAME') ?: 'root';
$pass = getenv('DB_PASSWORD') ?: '';
try {
$dsn = "mysql:host=$host;dbname=$db;charset=utf8mb4";
self::$pdo = new PDO($dsn, $user, $pass, [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
]);
} catch (PDOException $e) {
die("Database Connection Failed: " . $e->getMessage());
}
}
return self::$pdo;
}
}4. Identifying the Tenant (The Resolver) #
This is the most critical part of the application entry point. We need to look at the incoming HTTP request (specifically the Host header) to determine who the customer is.
If the user visits acme.myapp.com, we need to find the tenant with domain_slug: acme.
Create src/Model/Tenant.php:
<?php
namespace App\Model;
readonly class Tenant {
public function __construct(
public int $id,
public string $name,
public string $domainSlug
) {}
}Create src/Http/TenantResolver.php. This class simulates a middleware that intercepts the request.
<?php
namespace App\Http;
use App\Database\DBConnection;
use App\Model\Tenant;
use Exception;
class TenantResolver {
public function resolveFromHost(string $host): Tenant {
// Assume host is "acme.localhost" or "acme.saas.com"
// We extract the subdomain.
$parts = explode('.', $host);
$subdomain = $parts[0];
// In production, handle 'www' or main domain logic here.
if ($subdomain === 'www' || $subdomain === 'localhost') {
throw new Exception("Landing Page - No Tenant");
}
$stmt = DBConnection::get()->prepare("SELECT * FROM tenants WHERE domain_slug: ? LIMIT 1");
$stmt->execute([$subdomain]);
$data = $stmt->fetch();
if (!$data) {
throw new Exception("Tenant Not Found");
}
return new Tenant(
id: $data['id'],
name: $data['name'],
domainSlug: $data['domain_slug']
);
}
}Pro Tip: Local Development with Subdomains #
To test this locally, you don’t need to buy domains. Edit your OS hosts file (/etc/hosts on Mac/Linux or C:\Windows\System32\drivers\etc\hosts on Windows):
127.0.0.1 acme.localhost
127.0.0.1 stark.localhost5. Context Manager: The Tenant Scope #
Now that we know who the tenant is, we need to store this context globally for the duration of the request. This prevents us from having to pass $tenantId into every single function call.
Create src/Context/TenantContext.php:
<?php
namespace App\Context;
use App\Model\Tenant;
use RuntimeException;
class TenantContext {
private static ?Tenant $currentTenant = null;
public static function set(Tenant $tenant): void {
self::$currentTenant = $tenant;
}
public static function get(): Tenant {
if (self::$currentTenant === null) {
throw new RuntimeException("No tenant context initialized.");
}
return self::$currentTenant;
}
public static function id(): int {
return self::get()->id;
}
}6. Implementing Scoped Data Access #
Here is where the magic happens—and where security risks are mitigated. We will create a UserRepository that automatically applies the tenant constraint.
Warning: Never trust the client to send the ID. If you rely on
GET /users?tenant_id=1, a user can simply change that to2and see competitor data. Always derive the tenant ID from the authenticated context.
Create src/Model/UserRepository.php:
<?php
namespace App\Model;
use App\Database\DBConnection;
use App\Context\TenantContext;
class UserRepository {
public function getAllForCurrentTenant(): array {
// AUTOMATICALLY injecting the tenant_id from Context
$tenantId = TenantContext::id();
$sql = "SELECT id, email, full_name FROM users WHERE tenant_id = ?";
$stmt = DBConnection::get()->prepare($sql);
$stmt->execute([$tenantId]);
return $stmt->fetchAll();
}
public function create(string $email, string $name): bool {
$tenantId = TenantContext::id();
$sql = "INSERT INTO users (tenant_id, email, full_name) VALUES (?, ?, ?)";
$stmt = DBConnection::get()->prepare($sql);
return $stmt->execute([$tenantId, $email, $name]);
}
}7. Putting It All Together #
Let’s wire this up in public/index.php. This acts as our front controller.
<?php
require_once __DIR__ . '/../vendor/autoload.php';
use App\Http\TenantResolver;
use App\Context\TenantContext;
use App\Model\UserRepository;
use Dotenv\Dotenv;
// 1. Load Environment
$dotenv = Dotenv::createImmutable(__DIR__ . '/../');
$dotenv->safeLoad();
// 2. Simulate Request Info (In real apps, use $_SERVER['HTTP_HOST'])
// For testing via CLI, we force a host. For web, uncomment the line below.
$host = $_SERVER['HTTP_HOST'] ?? 'acme.localhost';
header('Content-Type: application/json');
try {
// 3. Resolve Tenant
$resolver = new TenantResolver();
$tenant = $resolver->resolveFromHost($host);
// 4. Set Context
TenantContext::set($tenant);
// 5. Application Logic
$repo = new UserRepository();
// Let's pretend we are listing users
$users = $repo->getAllForCurrentTenant();
echo json_encode([
'status' => 'success',
'tenant' => [
'id' => $tenant->id,
'name' => $tenant->name
],
'data' => $users
], JSON_PRETTY_PRINT);
} catch (Exception $e) {
http_response_code(404);
echo json_encode(['error' => $e->getMessage()]);
}Testing the Result #
- Start the PHP built-in server:
php -S localhost:8080 -t public - Visit
http://acme.localhost:8080in your browser.- Result: You should see JSON data for “Wile E. Coyote” only.
- Visit
http://stark.localhost:8080.- Result: You should see JSON data for “Tony Stark” only.
We have successfully achieved Logical Isolation. The code running for stark has no easy way to accidentally access acme data because the UserRepository enforces TenantContext::id().
8. Common Pitfalls and Security Checks #
Building SaaS in PHP is powerful, but it comes with responsibilities. Here are the pitfalls you must avoid in a production environment.
1. The IDOR Trap (Insecure Direct Object References) #
Even if you scope your lists, what about finding a specific item?
Bad Code:
public function find($id) {
// VULNERABLE: Only checks ID, ignores Tenant!
$stmt = $pdo->prepare("SELECT * FROM orders WHERE id = ?");
}Good Code:
public function find($id) {
// SECURE: Checks both ID AND Tenant
$stmt = $pdo->prepare("SELECT * FROM orders WHERE id = ? AND tenant_id = ?");
$stmt->execute([$id, TenantContext::id()]);
}2. Cache Poisoning #
If you use Redis or Memcached, ensure your cache keys include the tenant ID.
- Bad:
Cache::get('dashboard_stats')-> User B sees User A’s stats. - Good:
Cache::get("tenant_{$id}_dashboard_stats").
3. Uploaded Files #
Do not store uploads in a flat folder structure (/uploads/avatar.jpg). If User A guesses the filename, they can see User B’s files.
- Best Practice: Use S3 paths like
bucket/tenant_id/user_id/file.jpgor use unguessable UUIDs for filenames.
Conclusion #
Creating a multi-tenant SaaS application with PHP is less about learning new syntax and more about discipline in architecture. By using the Shared Schema strategy combined with a strict Tenant Context and Repository Pattern, you can build systems that scale to thousands of customers while keeping infrastructure costs low.
Next Steps for Production:
- Migrations: Look into tools like
phinxor Laravel Migrations that can handle tenant-aware updates. - Queues: When processing background jobs (like sending emails), remember to pass the
tenant_idinto the job payload so the worker knows which context to load. - Unique Constraints: Remember that
emailmight need to be unique per tenant, not globally. Your database unique index should be(tenant_id, email).
The PHP ecosystem in 2025 provides all the tools necessary to build world-class SaaS products. Now it’s time to build yours.
Happy Coding!