What It Does
The Delivery App Platform is a fully self-hosted, white-label dispatch and delivery management system. It ships as a complete PHP application covering the full order lifecycle — from customer booking through driver dispatch, real-time tracking, payment processing, ratings, and analytics — for any of 30+ configurable business verticals.
30+ Supported Business Types
The platform is configurable at the business-type level — one codebase powers all verticals. Switch between types via admin settings without code changes.
User Roles
Three distinct user roles with separate portals, session namespaces, and access controls. No role can access another's panel.
Full Control
Manages all orders, drivers, customers, payouts, promos, analytics, and system settings. Session key: admin_logged_in
Dispatch Portal
Accepts/rejects orders, updates GPS, sets availability, tracks earnings, views schedule. Session key: driver_id
Self-Service Portal
Places orders, tracks delivery in real time, submits ratings, redeems promos, contacts support. Session key: customer_id
Session Keys by Role
Pricing & Market Value
A complete delivery platform from scratch costs $50,000–$200,000 to build. SaaS alternatives lock you into monthly fees and take a cut of every transaction. The Delivery App Platform is a one-time purchase — you own it forever.
| Option | Cost | You Own It | Monthly Fees | Customizable |
|---|---|---|---|---|
| A1 App Builders | $2,000 one-time | ✓ Yes | $0 | ✓ Full source |
| Custom Dev Agency | $50,000–$200,000 | ✓ Yes | Maintenance | ✓ Custom |
| SaaS Competitor A | $5,000 + fees | ✗ No | $300–$1,000/mo | ✗ Limited |
| SaaS Competitor B | $4,500 + fees | ✗ No | $200–$800/mo | ✗ Limited |
File Structure
The platform is organized into three portal directories sharing a common includes layer and a single SQLite database file. No Composer, no npm, no build step required.
| File | Method | Purpose |
|---|---|---|
| admin/index.php | GET | Admin dashboard — live stats: total orders, active drivers, revenue, pending support tickets |
| admin/orders.php | GET POST | View, search, filter, reassign, and update status on all orders. Trigger refunds. |
| driver/orders.php | POST | Driver accepts/rejects dispatched orders; updates delivery status (picked up, on way, delivered) |
| customer/order.php | POST | Order placement — service selection, address, payment, promo code application |
| customer/tracking.php | GET | Real-time order tracking — polls driver GPS, shows estimated arrival, live status updates |
| includes/config.php | PHP | Database class, session init, CSRF helpers, sanitize(), auth guards, mailer, security headers |
| database/schema.sql | SQL | Full SQLite schema — 12+ tables with seed data for all business type configurations |
Database Schema
SQLite3 by default — zero server setup, portable, fast. An optional MySQL/MariaDB migration path is available for high-volume deployments. WAL mode and foreign keys are enabled on every connection.
Security Model
Enterprise-grade security applied at every layer — from HTTP headers down to individual SQL parameters.
| Layer | Implementation |
|---|---|
| Session Hardening | use_strict_mode, use_only_cookies, cookie_httponly, cookie_samesite=Strict, cookie_secure — all enabled at session start |
| Session Timeout | 30-minute inactivity timeout enforced server-side via $_SESSION['last_activity']. Cookie lifetime = 0 (dies on browser close). JS warning banner fires 60 s before expiry. |
| CSRF Tokens | 64-character hex token generated via random_bytes(32). Embedded in every POST form as a hidden field. Verified before any mutation executes. |
| HTTP Security Headers | X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection, Strict-Transport-Security, Content-Security-Policy, Referrer-Policy, Permissions-Policy |
| Password Hashing | All passwords stored as bcrypt hashes. password_verify() used for authentication. Plain-text passwords never logged or stored. |
| Prepared Statements | All DB queries use prepare() + bindValue(). String interpolation into SQL is forbidden throughout the codebase. |
| Output Sanitization | Every database value rendered to HTML passes through sanitize() — an htmlspecialchars() wrapper — to prevent XSS. |
| Auth Guards | Every protected page calls a role-specific guard at the top. Admin, driver, and customer guards redirect to their respective login pages if session is invalid. |
| Audit Logging | All significant actions written to activity_log. All login attempts (success + failure) written to login_log with IP and user agent. |
Security Headers Set on Every Request
Session Management
Sessions use a two-layer timeout strategy: a server-side timestamp check and a JavaScript countdown with a user-visible warning banner.
| Parameter | Value | Notes |
|---|---|---|
| Timeout | 1800 seconds (30 min) | Defined as $session_timeout |
| Cookie Lifetime | 0 (browser session) | Cookie deleted on browser close |
| Warning Trigger | 60 s before expiry | JS banner shown; "Stay logged in" pings ?ping=1 |
| Ping Handler | GET ?ping=1 | Refreshes last_activity without full page reload; returns {"ok":true} |
| Logout | GET ?logout=1 | Destroys session, clears cookie, redirects to current URL (stripping query string) |
| Activity Reset | mousemove, keydown, click, scroll, touchstart | Any user activity resets the JS timer and calls the server ping |
Built-In Features
Everything in the table below is included out of the box — no plugins, no add-ons, no extra cost.
| Feature | Details | Portal |
|---|---|---|
| Real-Time GPS Tracking | Driver updates lat/lng; customer tracking page polls for live position. Map integration ready. | Customer Driver |
| Order Lifecycle | 6-stage status pipeline: pending → dispatched → picked_up → on_the_way → delivered → cancelled | All |
| Promo Code Engine | Percent or fixed discount, max uses, expiry date, active toggle. Applied at checkout with live preview. | Customer Admin |
| Ratings & Reviews | 5-star customer rating per delivery. Driver average rating updated on each submission. Admin can review all. | Customer Admin |
| Driver Earnings | Per-order driver payout tracked. Earnings history, payout request, admin approval pipeline. | Driver Admin |
| Support Ticketing | Customer submits tickets (optionally linked to an order). Admin replies from support panel. Status: open → replied → closed. | Customer Admin |
| Analytics Dashboard | Revenue by period, orders by status, top drivers, repeat customers, popular service types. | Admin |
| Demo View Counter | $_SESSION['demo_views'] increments per page load for demo analytics tracking. | Admin |
| Notification System | Email alerts on order placement, status changes, and payout processing. Multi-channel ready. | All |
| Mobile Responsive | All three portals work on phone, tablet, and desktop. Optimized for driver mobile use. | All |
Admin Panel
The admin panel is a full-featured operations center. Every table is searchable and filterable; every action is logged to the audit trail.
Dashboard (index.php)
Live stat cards: active orders, available drivers, today's revenue, open support tickets. Recent activity feed from the audit log. Quick links to each module.
Order Management (orders.php)
Full order history with search and status filter tabs. Reassign drivers, update status, initiate refunds, view full order detail including customer notes and GPS history.
Driver Management (drivers.php)
Approve, suspend, or reactivate drivers. View rating history, total earnings, active orders, and vehicle info. Inline commission rate editing.
Customer Management (customers.php)
View all customer accounts, order history per customer, support ticket history. Suspend or reactivate accounts. Export customer data.
Promo Codes (promos.php)
Create percent or fixed discount codes with optional max-use limits and expiry dates. View usage counts and disable active codes instantly.
Settings (settings.php)
Business type, site name, branding colors, payment gateway keys, SMTP credentials, commission rates, service area radius — all from one panel.
Driver System
The driver portal is optimized for mobile use — large tap targets, minimal navigation, and live order alerts.
driver_id set. GPS location reporting begins.is_available = 1 to start receiving dispatch. Visible to admin in real time.dispatched.picked_up when driver reaches pickup location.on_the_way. GPS position visible to customer on tracking page.delivered. delivered_at timestamp set. Earnings credited. Customer rating prompt appears.Customer Portal
The customer-facing portal handles the full self-service lifecycle from registration through delivery confirmation and support.
| Page | Path | Purpose |
|---|---|---|
| Home / Order | customer/index.php | Service type selection, address entry, order placement entry point |
| Checkout | customer/order.php | Item selection, promo code, payment method, order confirmation |
| Live Tracking | customer/tracking.php | Real-time driver GPS, estimated arrival, status timeline |
| Order History | customer/history.php | Past orders with status, receipt, reorder button, rate driver prompt |
| Profile | customer/profile.php | Edit name, email, phone, saved addresses, change password |
| Support | customer/support.php | Submit tickets, view admin replies, close resolved tickets |
| Login / Register | customer/login.php | Email + password auth, new account registration with email verification |
Order Status Flow
Orders move through a 6-stage pipeline. Each stage transition is logged, timestamped, and can trigger email notifications.
| Status | Set By | Meaning | Triggers |
|---|---|---|---|
| pending | Customer | Order placed, awaiting driver assignment | Customer confirmation email |
| dispatched | Admin | Driver assigned and notified | Driver notification; tracking page activated |
| picked_up | Driver | Driver collected the order from pickup | Customer SMS/email update |
| on_the_way | Driver | En route to delivery address | Live GPS tracking begins for customer |
| delivered | Driver | Delivery completed successfully | delivered_at set; earnings credited; rating prompt sent |
| cancelled | Admin / Customer | Order cancelled before delivery | Refund initiated if payment was captured |
Payments
Payment gateway integration is configurable from the admin settings panel. The platform supports multiple payment methods and a driver payout pipeline.
| Feature | Details |
|---|---|
| Payment Capture | Charge at order placement or on delivery confirmation — configurable in settings |
| Promo Discounts | Applied before charge calculation. discount_amount stored on order record for audit. |
| Driver Payout | driver_payout per order tracked separately. Admin approves payout batches. History per driver. |
| Refunds | Admin-initiated from order detail. payment_status updated to refunded. Logged to audit trail. |
| Payment Status | unpaid → paid → refunded — tracked on every order record |
settings table and managed from admin/settings.php. Never hardcoded in source files.Notifications
The platform sends automated notifications at key lifecycle events. All email goes through a configurable SMTP mailer. Push and SMS channels are architecture-ready.
| Trigger | Recipient | Channel |
|---|---|---|
| Order Placed | Customer | Email — order confirmation with summary |
| Order Dispatched | Driver + Customer | Email — driver assigned; tracking link sent to customer |
| Order Picked Up | Customer | Email / SMS — order is on the way |
| Order Delivered | Customer | Email — delivery confirmed + rating request |
| Order Cancelled | Customer | Email — cancellation notice + refund status |
| Support Reply | Customer | Email — admin has replied to your ticket |
| Payout Processed | Driver | Email — payout summary and amount |
| New Registration | Admin | Email — new driver or customer registration notice |
Installation
The platform is designed to go live in a single session. No Composer. No npm. No build tools.
Upload Files
Upload the platform directory to your PHP web host. Rename the root folder to match your brand (e.g. mydelivery/). Accessible at /mydelivery/.
Run Database Setup
Visit /admin/database/setup.php?key=lastcall_setup_2024 once to create all tables and seed default data. Delete or rename setup.php after running.
Set Admin Password
Log into /admin/login.php with the default credentials, then immediately update the password from the Settings panel. Default credentials are documented in the setup guide.
Configure Settings
From /admin/settings.php: set your business type, site name, SMTP credentials, payment gateway keys, commission rates, and branding colors.
Add Drivers & Go Live
Create driver accounts from the admin panel. Share the customer-facing URL. Your platform is live and ready to take orders.
setup.php. (2) Change all default passwords. (3) Confirm HTTPS is active — HSTS header requires it. (4) Set Content-Security-Policy to your domain. (5) Verify uploads/ is not web-accessible for PHP execution.