HiveControl Web Application Documentation Version 2.10 - 2026-01-17
- Overview
- Directory Structure
- Application Flow
- Admin Pages
- User Pages
- Include Files
- Chart System
- Database Integration
- Security Implementation
The HiveControl web application is a PHP-based dashboard for monitoring and managing beehive sensors. It provides:
- Real-time Data Visualization: Interactive charts using HighCharts
- Configuration Interface: Web-based setup for sensors and system settings
- Administrative Tools: Backup, restore, password management, system commands
- Mobile Responsive: Bootstrap 3 framework for desktop and mobile
Technology Stack:
- Backend: PHP 7.0+, SQLite 3
- Frontend: Bootstrap 3, jQuery 3.x, HighCharts
- Web Server: Apache 2.4 with .htaccess authentication
- Session Management: PHP sessions with CSRF protection
/home/HiveControl/www/public_html/
├── admin/ # Administrative interface
│ ├── backup.php # Backup & restore system
│ ├── changepassword.php # Password management
│ ├── hiveconfig.php # Basic hive configuration
│ ├── hiveapisetup.php # API key management
│ ├── hivebodyconfig.php # Hive body/frame tracking
│ ├── instrumentconfig.php # Sensor configuration
│ ├── siteconfig.php # Weather/sensor site settings
│ ├── system.php # System commands & logs
│ ├── notifications.php # Email alert configuration
│ ├── notify.php # Notification handler
│ ├── livevalue.php # Real-time sensor readings
│ ├── statusrefresh.php # Upgrade status AJAX
│ └── api.php # REST API endpoint
├── pages/ # User-facing dashboard
│ ├── index.php # Main dashboard (all data)
│ ├── weight.php # Weight chart view
│ ├── temp.php # Temperature chart view
│ ├── environment.php # Environment data view
│ ├── gdd.php # Growing degree days
│ ├── light.php # LUX/solar data
│ ├── air.php # Air quality data
│ ├── beecount.php # Bee counter data
│ ├── video.php # Webcam view
│ ├── video-w-wxforecast.php # Webcam + weather
│ └── status.php # System status
├── include/ # Shared PHP files
│ ├── db-connect.php # Database connection
│ ├── security-init.php # Session & CSRF security
│ ├── navigation.php # Sidebar menu
│ ├── check.inc # Data validation functions
│ ├── loglocal.inc # Logging functions
│ ├── curl.inc # HTTP request wrapper
│ └── cloud.inc # Hivetool.org integration
├── charts/ # Chart data API endpoints
│ ├── getchartdata.php # Main chart data provider
│ ├── weight-chart-data.php # Weight-specific data
│ ├── temp-chart-data.php # Temperature data
│ └── ... # Other chart endpoints
├── bower_components/ # Frontend libraries
│ ├── bootstrap/ # Bootstrap 3
│ ├── jquery/ # jQuery
│ ├── datatables/ # DataTables plugin
│ ├── highcharts/ # Charting library
│ └── ...
├── dist/ # Compiled CSS/JS
│ ├── css/sb-admin-2.css # Admin theme
│ └── js/sb-admin-2.js # Admin JS
├── .htaccess # Apache authentication
├── index.html # Redirect to pages/
└── 401.php # Unauthorized error page
User Request
↓
Apache .htaccess
↓
.htpasswd validation
↓
[Authenticated] → PHP Application
↓
security-init.php (session, CSRF)
↓
Page Content
Authentication Method:
- Apache Basic Authentication
- Credentials stored in
/home/HiveControl/www/.htpasswd - Default username:
admin - Password hashed with bcrypt (APR1 MD5 for legacy)
index.php
↓
include security-init.php (CSRF tokens, session)
↓
include db-connect.php (SQLite connection)
↓
include navigation.php (sidebar menu)
↓
Query database for config/data
↓
Render HTML with Bootstrap
↓
Load HighCharts with AJAX data
↓
charts/getchartdata.php (JSON endpoint)
User submits form
↓
POST to admin page
↓
verify_csrf_token() check
↓
[Valid] → Process form
↓
Update database
↓
Log action to logs table
↓
Redirect/refresh page
Purpose: Database backup and restore system
Features:
- Full database backup (file copy method)
- Configuration-only backup (SQL export)
- Restore with safety backup
- Download backups
- Delete old backups
Key Functions:
// Create full backup
$conn->exec("PRAGMA wal_checkpoint(TRUNCATE)");
copy($db_path, $backup_path);
// Create config backup
$result = $conn->query("SELECT * FROM hiveconfig");
// Generate INSERT SQL
// Restore backup
rename($db_path, $safety_backup);
copy($backup_path, $db_path);Security:
- CSRF protection on all actions
- IP logging for audit trail
- .htaccess protection on backup directory
- Safety backup before restore
Purpose: Admin password management
Features:
- Current password verification
- Support for multiple hash formats (APR1, bcrypt, SHA1, crypt)
- Minimum 8 character requirement
- Password confirmation
Key Functions:
// Apache MD5 verification
function apr1_md5_verify($password, $hash)
// Hash formats supported:
- $apr1$ → Apache MD5
- $2y$/$2a$ → bcrypt
- {SHA} → SHA1
- others → traditional crypt()
// New password creation
$new_hash = password_hash($new_password, PASSWORD_BCRYPT);
file_put_contents($htpasswd_file, "$username:$new_hash\n");Security:
- CSRF token required
- Current password must be verified
- All attempts logged with IP
- Password not exposed in forms
Purpose: System commands and log viewing
Commands:
clearlogs- Clear log tablecleardata- Clear all sensor dataremovezero- Remove zero values from specific columnupgrade- Trigger system upgradepause- Pause data collectionserver_status- Display system info
Key Functions:
function loglocal($date, $program, $type, $message) {
$sth99 = $conn->prepare("INSERT INTO logs (date,program,type,message) VALUES (?,?,?,?)");
$sth99->execute([$date, $program, $type, $message]);
}
function getlog($conn) {
// Returns last 1000 log entries
// Escaped with htmlspecialchars() to prevent XSS
}
function getUserIP() {
// SECURITY: Only trust REMOTE_ADDR
return $_SERVER['REMOTE_ADDR'];
}Security Fixes (v2.10):
- SQL injection fixed in loglocal()
- SQL injection fixed in removezero with column whitelisting
- XSS fixed in getlog() output
- IP spoofing prevented in getUserIP()
Purpose: Basic hive configuration
Settings:
- Hive name, API key, location
- Timezone configuration
- Hivetool.org integration (username, password, URL)
- GDD (Growing Degree Days) settings
- Power/internet/status tracking
Security Fixes (v2.10):
- Password field no longer pre-filled
- Password only updated if new value provided
- All output escaped with htmlspecialchars()
Form Behavior:
- Auto-submit on change (
onchange="this.form.submit()") - Conditional fields (Hivetool.org settings only show if sharing enabled)
Purpose: Sensor selection and configuration
Sensor Types:
- Weight sensors (HX711, Phidget, CPW-200+)
- Temperature sensors (DHT22, SHT31-D, BME680, BroodMinder)
- Weather stations (WeatherFlow, Ambient Weather, Weather Underground)
- Light sensors (TSL2591, TSL2561)
- Air quality (PurpleAir)
- Bee counter
Features:
- Enable/disable sensors
- Calibration values (weight slope/zero)
- Sensor-specific configuration
- Live sensor testing
Purpose: Site-specific sensor configuration
Settings:
- Weather station API keys
- PurpleAir station IDs
- Pollen.com location codes
- Network settings for local sensors
Purpose: Combined view of all sensor data
Chart Types:
- Line chart: Weight, temperature, humidity
- Column chart: Bee in/out counts
- Area chart: Rain
- Combined overlay
Time Ranges:
- Today (since midnight)
- 2 days
- 1 week
- 1 month
- 1 year
- All data
Data Flow:
// AJAX request to chart endpoint
$.getJSON('charts/getchartdata.php?range=week', function(data) {
// HighCharts configuration
chart.series[0].setData(data.weight);
chart.series[1].setData(data.temp);
// ...
});weight.php - Weight Chart
- Hive weight over time
- Identify nectar flows
- Track weight changes
temp.php - Temperature Chart
- Internal hive temperature
- External ambient temperature
- Temperature differential
environment.php - Environment Data
- Humidity (internal/external)
- Barometric pressure
- Weather conditions
gdd.php - Growing Degree Days
- Cumulative GDD calculation
- Pollen count overlay
- Bee development tracking
light.php - Light/Solar Data
- LUX levels
- Solar radiation
- Daylight patterns
air.php - Air Quality
- PM2.5 and PM10 levels
- PurpleAir integration
- Pollution trends
beecount.php - Bee Flight Activity
- Bees in vs bees out
- Flight activity patterns
- Weather correlation
video.php - Webcam View
- Live camera feed
- Motion JPEG stream
- Optional weather forecast overlay
Purpose: Database connection management
try {
$conn = new PDO("sqlite:/home/HiveControl/data/hive-data.db");
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch(PDOException $e) {
// SECURITY: Don't expose error details
error_log("Database connection failed: " . $e->getMessage());
die("Database connection error. Please contact administrator.");
}Usage:
include($_SERVER["DOCUMENT_ROOT"] . "/include/db-connect.php");
// $conn is now available for queriesPurpose: Session security and CSRF protection
Features:
- Secure session configuration
- CSRF token generation
- Session regeneration (every 5 minutes)
- Security headers
Functions:
get_csrf_token() // Get current CSRF token
csrf_field() // Generate hidden input field
verify_csrf_token() // Check if token is valid
require_csrf_token() // Check token or dieSession Settings:
ini_set('session.cookie_httponly', 1); // Prevent JS access
ini_set('session.cookie_samesite', 'Strict'); // CSRF protection
ini_set('session.use_strict_mode', 1); // Reject bad IDs
ini_set('session.gc_maxlifetime', 3600); // 1 hour timeoutSecurity Headers:
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'; ...Purpose: Sidebar menu and page header
Sections:
- Hive Dashboards (main, weight, temp, environment, etc.)
- Admin Pages (configuration, backups, system)
- Settings (notifications, API)
Dynamic Menu:
- Highlights current page
- Responsive collapse on mobile
- Bootstrap sidebar component
Purpose: Data validation functions
# Validate numeric sensor readings
function check() {
# Rejects negative numbers
# Rejects invalid characters (----)
# Returns value or "null"
}Purpose: Hivetool.org integration
Functions:
- Send data to Hivetool.org
- XML generation for data sharing
- Credential management
- Error handling
Purpose: Main chart data API endpoint
Parameters:
range: time|2days|week|month|year|allsensor: filter by sensor type (optional)
Output Format:
{
"weight": [[timestamp, value], ...],
"temp": [[timestamp, value], ...],
"humidity": [[timestamp, value], ...],
"beein": [[timestamp, value], ...],
"beeout": [[timestamp, value], ...],
"rain": [[timestamp, value], ...]
}SQL Query Example:
$stmt = $conn->prepare("
SELECT
strftime('%s', date) * 1000 as timestamp,
hiveweight,
hivetempf,
hiveHum
FROM allhivedata
WHERE date >= ?
ORDER BY date ASC
");
$stmt->execute([$start_date]);var chart = new Highcharts.Chart({
chart: {
type: 'line',
zoomType: 'x'
},
title: {
text: 'Hive Data'
},
xAxis: {
type: 'datetime'
},
yAxis: [{
title: { text: 'Weight (lbs)' }
}, {
title: { text: 'Temperature (°F)' },
opposite: true
}],
series: [{
name: 'Weight',
data: weightData,
yAxis: 0
}, {
name: 'Temperature',
data: tempData,
yAxis: 1
}]
});// Include database connection
include($_SERVER["DOCUMENT_ROOT"] . "/include/db-connect.php");
// Execute query with parameterized statement
$stmt = $conn->prepare("SELECT * FROM hiveconfig WHERE id = ?");
$stmt->execute([1]);
$result = $stmt->fetch(PDO::FETCH_ASSOC);Get Configuration:
$stmt = $conn->prepare("SELECT * FROM hiveconfig WHERE id=1");
$stmt->execute();
$config = $stmt->fetch(PDO::FETCH_ASSOC);Get Latest Sensor Reading:
$stmt = $conn->prepare("
SELECT * FROM allhivedata
ORDER BY date DESC LIMIT 1
");
$stmt->execute();
$latest = $stmt->fetch(PDO::FETCH_ASSOC);Insert Log Entry:
$stmt = $conn->prepare("
INSERT INTO logs (date,program,type,message)
VALUES (?,?,?,?)
");
$stmt->execute([$date, $program, $type, $message]);Time-Range Query:
$stmt = $conn->prepare("
SELECT * FROM allhivedata
WHERE date >= datetime('now', '-7 days')
ORDER BY date ASC
");
$stmt->execute();
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);In Forms:
<form method="POST" action="?">
<?php echo csrf_field(); ?>
<!-- form fields -->
</form>In Handlers:
if ($_SERVER["REQUEST_METHOD"] == "POST") {
require_csrf_token(); // Dies if token invalid
// Process form
}Always escape user-controlled data:
// WRONG (XSS vulnerability):
echo '<td>' . $row['message'] . '</td>';
// CORRECT:
echo '<td>' . htmlspecialchars($row['message']) . '</td>';Always use parameterized queries:
// WRONG (SQL injection vulnerability):
$query = "SELECT * FROM logs WHERE type='$type'";
$conn->query($query);
// CORRECT:
$stmt = $conn->prepare("SELECT * FROM logs WHERE type=?");
$stmt->execute([$type]);function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
// Usage:
$hivename = test_input($_POST["hivename"]);// For dynamic column names in SQL
$allowed_columns = ['hivetempf', 'hiveHum', 'hiveweight', 'IN_COUNT'];
if (!in_array($column, $allowed_columns)) {
die("Invalid column name");
}<?php
include($_SERVER["DOCUMENT_ROOT"] . "/include/db-connect.php");
include($_SERVER["DOCUMENT_ROOT"] . "/include/security-init.php");
// Process form submissions
if ($_SERVER["REQUEST_METHOD"] == "POST") {
require_csrf_token();
// Handle POST data
}
// Query database
$stmt = $conn->prepare("SELECT * FROM hiveconfig WHERE id=1");
$stmt->execute();
$config = $stmt->fetch(PDO::FETCH_ASSOC);
?>
<!DOCTYPE html>
<html>
<?php include($_SERVER["DOCUMENT_ROOT"] . "/include/navigation.php"); ?>
<div class="row">
<div class="col-lg-12">
<h1 class="page-header">Page Title</h1>
</div>
</div>
<!-- Page content -->
</html><?php
header('Content-Type: application/json');
include($_SERVER["DOCUMENT_ROOT"] . "/include/db-connect.php");
$range = $_GET['range'] ?? 'week';
// Query data
$stmt = $conn->prepare("SELECT * FROM allhivedata WHERE date >= ?");
$stmt->execute([$start_date]);
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);
// Format for HighCharts
$output = [];
foreach ($data as $row) {
$timestamp = strtotime($row['date']) * 1000;
$output[] = [$timestamp, floatval($row['hiveweight'])];
}
echo json_encode($output);| File | Purpose | Security Features |
|---|---|---|
backup.php |
Database backup/restore | CSRF, IP logging |
changepassword.php |
Password management | CSRF, hash verification |
system.php |
System commands | CSRF, SQL injection fixed |
hiveconfig.php |
Basic configuration | Password not pre-filled |
instrumentconfig.php |
Sensor setup | Input validation |
siteconfig.php |
Site settings | Parameterized queries |
security-init.php |
Security initialization | Session security, CSRF |
db-connect.php |
Database connection | Error logging, no disclosure |
getchartdata.php |
Chart data API | Parameterized queries |
Database:
- SQLite WAL mode enabled for better concurrency
- Indexes on
datecolumn for fast time-range queries - Regular VACUUM for database maintenance
Frontend:
- Chart data cached by browser
- AJAX loading for charts (page loads faster)
- Minified CSS/JS in production
PHP:
- Execution time limits increased for large backups (300s)
- Memory limit increased for file operations (256M)
- Session garbage collection configured (1 hour)
- Check PHP error log:
/var/log/apache2/error.log - Verify database exists and is readable
- Check file permissions (www-data needs read/write)
- Open browser console (F12) for JavaScript errors
- Check chart data endpoint:
charts/getchartdata.php - Verify database has data:
SELECT COUNT(*) FROM allhivedata;
- Clear browser cookies
- Check session directory is writable:
/var/lib/php/sessions - Verify security-init.php is included
- Check .htpasswd file exists:
/home/HiveControl/www/.htpasswd - Verify password hash format
- Use changepassword.php to reset
Version 2.10 (2026-01-17)
- Added backup.php (backup & restore system)
- Added changepassword.php (password management)
- Added security-init.php (CSRF & session security)
- Fixed SQL injection vulnerabilities
- Fixed XSS vulnerabilities
- Improved session security
Version 2.09 and earlier
- See RELEASE file