A 19-Year-Old Student Built a Production-Grade E-Commerce Platform in 3 Months with GitHub Copilot
Syed Ahmer Shah, a software engineering student from Pakistan, built Commerza — a full-featured PHP + MySQL e-commerce platform — in three months. The project includes a storefront, admin panel, Stripe/COD payments, CSRF protection, reCAPTCHA v2/v3, rate limiting, audit logs, stock locking, SMTP failover, Argon2id password hashing, and SQL injection defenses across all user-facing mutation paths.
Key metrics: 80 PHP files, 339 total tracked files, 136 commits, PHP 62.6% / JavaScript 20.8% / CSS 15.0% / PowerShell 1.6%.
How Copilot Accelerated Development
Shah estimates that without AI, the project would have taken 6–8 months. With GitHub Copilot (using Claude Sonnet 4.6, Claude Opus 4.6, and GPT-5.2-Codex), he completed it in 3–4 months. Copilot generated approximately 78% of the backend code.
> "I learned PDO, Argon2id, CSP nonces, idempotency keys, stock locking, Cloudinary server-side signing, APCu caching, and Redis connection pooling — all through reading, testing, and interrogating code that Copilot generated."
Concrete Technical Details
SMTP Failover with Duplicate Suppression
Copilot introduced a dual-route architecture with duplicate-suppression check to prevent sending the same email twice if both SMTP routes are responsive. The fallback logic:
function send_mail(string $to, string $subject, string $html_body): bool {
$primary = smtp_transport('primary');
$secondary = smtp_transport('fallback');
// Suppress duplicate route — if both point to same host/account, skip fallback
if (same_transport($primary, $secondary)) {
return attempt_send($primary, $to, $subject, $html_body);
}
if (attempt_send($primary, $to, $subject, $html_body)) {
return true;
}
// Primary failed — try fallback
return attempt_send($secondary, $to, $subject, $html_body);
}
Three-Level Security Model
Copilot helped design a security severity model with three levels:
- Level 1 (Baseline): Input escaping, prepared statements
- Level 2 (Sensitive forms): CSRF tokens, reCAPTCHA v3 with 0.65 score threshold, hostname validation, challenge_ts freshness
- Level 3 (Critical money paths): Stock locking with
SELECT ... FOR UPDATE, idempotency key consumption, high-value COD OTP threshold
reCAPTCHA Hybrid System
Copilot generated a hybrid CAPTCHA system that uses reCAPTCHA v3 with strict score threshold (0.65 default), action validation, hostname checking, and challenge_ts freshness. If v3 isn't active, it falls back to v2. Additionally, a honeypot field and an arithmetic/knowledge fallback CAPTCHA with hashed answers per nonce and attempt lockout are included.
What Shah Wrote by Hand
Shah emphasizes that he wrote every frontend file manually: HTML structure, CSS design system, Bootstrap grid, jQuery interactions. Copilot suggestions during frontend work were mostly ignored. The architecture decisions, testing, debugging, and code review were all his.
Copilot's Limitations
Copilot wasn't always correct. Shah rejected or modified:
- SQL string concatenation in helper queries (forced prepared statements everywhere)
- reCAPTCHA logic that didn't validate hostname or challenge_ts (requested hardening)
- Rate limiter without burst tolerance (would have flagged fast-typing legitimate users)
> "You're the architect. Copilot is a very fast contractor who sometimes cuts corners. Review everything."
AI as Teacher, Not Crutch
Shah argues that AI-assisted development taught him more than it replaced. He learned enterprise patterns — like SMTP duplicate suppression, idempotency keys, and stock locking — that he would not have encountered otherwise. The alternative wasn't learning from scratch; it was shipping something less secure and less complete.
What's Next
Commerza is archived (May 5, 2026) — not abandoned, but reached a satisfactory state. Shah notes incomplete PDO migration and rough admin UI pages. The codebase is open-source on GitHub for others to learn from or extend.
