Skip to main content

TiCore v2 vs Laravel, Symfony, CodeIgniter & Slim

How TiCore v2 (Tuxxin Integrated Core) stacks up against the most widely-used PHP frameworks and bare PHP on what matters in production: its explicit router, onion middleware, drop-in addon ecosystem, first-party CLI, secure-by-default posture, and config-driven structured-data / SEO layer.

Status key: Built in  |  Partial / setup required  |  Not included (package / manual). The TiCore v2.0 column is shown bold and shaded as the subject of each table.

Routing

TiCore v2 ships an explicit, expressive router with a five-tier dispatch: pattern routes → legacy add() routes → controller auto-discovery → traversal-guarded view fallback → 404. You get full parameter, constraint, catch-all, HTTP-verb, named-route and group support without giving up zero-config conventions.

Routing feature comparison across PHP frameworks and bare PHP
Routing capability TiCore v2.0 Laravel Symfony CodeIgniter Slim Bare PHP
Required single-segment param ({slug}) Built in.Built inBuilt inBuilt inBuilt inNot included. manual
Optional param ({id?}) Built in.Built inBuilt inBuilt inBuilt inNot included. manual
Constrained param ({id:\d+}, regex) Built in.Built inBuilt inBuilt inBuilt inNot included. manual
Catch-all / unlimited depth ({path:.*}) Built in.Built inBuilt inPartial — setup required.Built inNot included. manual
HTTP-verb helpers + 405 (get/post/put/patch/delete/any/match) Built in.Built inBuilt inBuilt inBuilt inNot included. manual
Method override (_method / X-HTTP-Method-Override, POST→PUT/PATCH/DELETE) Built in.Built inBuilt inPartial — setup required.Partial — setup required.Not included.
Named routes + reverse URLs (route() / url()) Built in.Built inBuilt inBuilt inPartial — setup required.Not included.
Nestable route groups (prefix + middleware) Built in.Built inBuilt inBuilt inBuilt inNot included.
Global middleware on every matched route Built in.Built inBuilt inBuilt inBuilt inNot included.
Five-tier dispatch (pattern → legacy → auto-discovery → view → 404) Built in.Not included.Not included.Partial — setup required. auto-routingNot included.Not included.
Zero-config controller / view auto-discovery Built in.Not included.Not included.Partial — setup required. auto-routingNot included.Not included.
Traversal-guarded view fallback (segment whitelist + realpath) Built in.Not included.Not included.Not included.Not included.Not included.

Nuances unique to v2: get() maps both GET and HEAD; the _method/X-HTTP-Method-Override override only ever upgrades a POST to PUT/PATCH/DELETE (a safe GET can’t be spoofed into a write); and a path that matches with the wrong verb returns 405 Method Not Allowed rather than falling through to a 404.

Middleware

Middleware in TiCore implements a single-method onion contract. A MiddlewareInterface::handle(Request $request, callable $next): Response can run logic before, call $next($request) to continue, act on the way out, or return a Response to short-circuit — all in one method.

Middleware feature comparison across PHP frameworks and bare PHP
Middleware capability TiCore v2.0 Laravel Symfony CodeIgniter Slim Bare PHP
Onion pipeline (before + after in one method) Built in.Built inBuilt inPartial — setup required. FiltersBuilt in PSR-15Not included.
Short-circuit by returning a Response Built in.Built inBuilt inPartial — setup required.Built inNot included.
Named middleware aliases (csrf / auth / guest / apikey) Built in.Built inPartial — setup required.Partial — setup required.Not included.Not included.
Per-route, per-group and global ordering (merge order defined) Built in.Built inBuilt inBuilt inBuilt inNot included.
Dependency-free runner (no Composer middleware lib) Built in.Not included.Not included.Partial — setup required.Partial — setup required. PSR-15 libNot included.

Resolution order for a matched route: global middleware (run on every route) → group middleware (merged ahead) → the route’s own middleware. The csrf alias enforces tokens only on POST/PUT/PATCH/DELETE; auth gates the session and returns 401 JSON or a redirect; apikey guards the /api/v2 group.

Routing & middleware — the everyday pattern
<?php /** @var \TiCore\Core\Router $router */
use TiCore\Core\Http\Request;
use TiCore\Core\Http\Response;

// Required param + named route (reverse URLs via route('blog.show', [...]))
$router->get('/blog/{slug}', 'BlogController@show')->name('blog.show');

// Constrained param ({id:\d+}); optional param; catch-all of any depth
$router->get('/post/{id:\d+}', fn(Request $r) => Response::json(['id' => (int) $r->param('id')]));
$router->get('/users/{id?}', 'UserController@show');
$router->get('/docs/{path:.*}', 'DocsController@show');

// HTTP verbs + middleware alias array; match() for an arbitrary verb list
$router->post('/contact', 'ContactController@submit', ['csrf']);
$router->match(['PUT', 'PATCH'], '/post/{id:\d+}', 'PostController@update', ['auth']);

// Nestable group: shared prefix + middleware
$router->group(['prefix' => 'admin', 'middleware' => ['auth']], function ($router) {
    $router->get('/dashboard', 'Admin\DashboardController@index')->name('admin.dashboard');
    $router->post('/posts', 'Admin\PostController@store', ['csrf']);
});

// Runs on EVERY matched route (merged before per-route middleware)
$router->globalMiddleware(['csrf']);

Addon Ecosystem, CLI, Auth & Payments

TiCore v2 ships 10 drop-in addons installed with one CLI command (bin/ticore addon add <slug>), pulled straight from the public repo into TiCore/addons/<slug>. Auth and payments are first-party addons, not third-party SDKs.

Addon ecosystem, CLI, auth and payments comparison across PHP frameworks and bare PHP
Capability TiCore v2.0 Laravel Symfony CodeIgniter Slim Bare PHP
First-party CLI tool Built in. bin/ticoreBuilt in artisanBuilt in consoleBuilt in sparkNot included.Not included.
Drop-in addon installer (fetch & register a feature) Built in. 10 addonsPartial — setup required. packagesPartial — setup required. bundlesNot included.Not included.Not included.
Built-in auth (accounts / login / roles) Built in. auth addonBuilt inBuilt inBuilt in ShieldNot included.Not included.
Self-creating auth tables (no migration step) Built in.Not included.Not included.Not included.Not included.Not included.
Built-in payments — Stripe + PayPal, webhooks, GA4 purchase event Built in. payments addonPartial — setup required. Cashier (Stripe)Not included.Not included.Not included.Not included.
Dependency-free payment clients (no Stripe/PayPal SDK) Built in.Not included. SDK-basedNot included.Not included.Not included.Not included.
REST API kit: hashed keys + per-IP rate limiting + /api/v2 Built in. rest-api-kitPartial — setup required. SanctumNot included.Not included.Not included.Not included.

The 10 addons

auth

User accounts, login/register/logout, hardened sessions, roles, and the guest/auth middleware aliases. Self-creates its SQLite tables on first boot.

payments

Stripe + PayPal checkout, subscriptions and webhooks via dependency-free REST clients, plus a GA4 purchase event.

blog-cms

SQLite blog: public listing, single post and category pages, with an auth-protected, CSRF-guarded admin and safe markdown rendering.

contact-mailer

Contact form with honeypot anti-spam and CSRF, delivering through the MailerSend REST API and degrading gracefully when unconfigured.

admin-dashboard

Dark admin shell listing the logged-in user, PHP version and installed addons, with a reusable layout for other admin pages.

rest-api-kit

Hashed API keys (shown once), an apikey header-auth middleware with per-IP token-bucket rate limiting, a versioned /api/v2 group and a server-side proxy console.

indexnow

Serves /indexnow-key.txt and submits URLs (including the sitemap) to the IndexNow API for instant indexing.

google-analytics-gsc

Read-only SEO dashboard pulling 28-day Search Console clicks/impressions + GA4 sessions via a service-account RS256 JWT (no SDK).

google-ecommerce

Google Merchant Center product feed (RSS 2.0 + g: namespace) with a sample provider and a setup guide.

schema-generator

Stateless hosted form that outputs an escaped JSON-LD block plus the matching SITE_* PHP config snippet SchemaBuilder consumes.

Install any addon with bin/ticore addon add <slug> — browse them all on the addons page.

First-party CLI (bin/ticore)

Where competitors ship artisan, console or spark, TiCore ships bin/ticore — command-for-command:

TiCore bin/ticore CLI command reference
Command What it does
ticore addon list List installed addons (slug, version, description) read from each addon.json.
ticore addon add <slug> Fetch an addon from the public repo into TiCore/addons/<slug> using its files[] manifest.
ticore addon remove <slug> Delete an installed addon directory (DB tables, if any, are left intact).
ticore key:generate Print a fresh 32-byte cryptographically-random hex secret for .env.
ticore secrets:scan Scan the project for committable secrets (GitHub/Stripe/AWS/Google/GCP/PEM/AdSense/inline); exits non-zero on any hit.
ticore migrate Glob and list addon migration files; many addons self-migrate on first boot.
ticore help Print the CLI usage summary (the default when no command is given).

See the full CLI reference for usage and examples.

Secure by Default

Security isn’t a checklist you remember to bolt on. Every dispatch emits defensive headers, routing is traversal-guarded, sessions are hardened, and a secrets:scan CLI plus gitleaks CI keep credentials out of commits. See the full security model.

Security and architecture comparison across PHP frameworks and bare PHP
Security posture TiCore v2.0 Laravel Symfony CodeIgniter Slim Bare PHP
CSRF middleware (constant-time, 419) Built in. csrfBuilt inPartial — setup required. BundleBuilt inNot included.Not included.
XSS output escaping helper Built in. e()Built in BladeBuilt in TwigPartial — setup required.Not included.Not included.
Security headers on every dispatch (frame/nosniff/referrer/permissions) Built in.Not included.Not included.Not included.Not included.Not included.
Traversal-guarded routing (segment whitelist + realpath) Built in.Partial — setup required.Partial — setup required.Partial — setup required.Not included.Not included.
Hardened sessions (HttpOnly / Secure / SameSite + regeneration) Built in.Built inBuilt inPartial — setup required.Not included.Not included.
PDO prepared statements throughout Built in.Built inBuilt inBuilt inPartial — setup required.Not included.
Application code outside the public web root Built in. www/Built inBuilt inPartial — setup required.Not included.Not included.
Secret scanning CLI + gitleaks CI Built in. secrets:scanNot included.Not included.Not included.Not included.Not included.
Cloudflare-aware client IP (CF-Connecting-IP) Built in.Not included.Not included.Not included.Not included.Not included.
License MIT MIT MIT MIT MIT

Structured Data & SEO

TiCore is the only one of these frameworks to ship a complete, config-driven SEO layer in its default layout. SchemaBuilder emits a schema.org @graph (WebSite + Organization + WebPage) and reads optional SITE_* config constants to enrich it — everywhere else you reach for a Composer package or manage tags by hand.

Structured data and SEO feature comparison across PHP frameworks and bare PHP
SEO capability TiCore v2.0 Laravel Symfony CodeIgniter Slim Bare PHP
Canonical URLs in the default layout Built in.Partial — setup required. PackagePartial — setup required. ManualPartial — setup required. ManualNot included.Not included.
Open Graph (title / description / url / image) Built in.Partial — setup required. PackagePartial — setup required. ManualPartial — setup required. ManualNot included.Not included.
Twitter / X card Built in.Partial — setup required. PackagePartial — setup required. ManualPartial — setup required. ManualNot included.Not included.
JSON-LD @graph (WebSite + Org + WebPage) Built in. SchemaBuilderNot included.Not included.Not included.Not included.Not included.
Per-page nodes (Product / Article / FAQ / Breadcrumb) Built in. $ctx['extra']Not included.Not included.Not included.Not included.Not included.
Config-constant schema model (SITE_*) Built in.Not included.Not included.Not included.Not included.Not included.
Hosted JSON-LD generator addon Built in. schema-generatorNot included.Not included.Not included.Not included.Not included.
Google Analytics 4 in the layout Built in.Not included.Not included.Not included.Not included.Not included.
Auto-generating sitemap Built in.Partial — setup required. PackagePartial — setup required. BundlePartial — setup required. PackageNot included.Not included.
IndexNow instant indexing Built in. indexnow addonNot included.Not included.Not included.Not included.Not included.
Merchant Center product feed Built in. google-ecommerceNot included.Not included.Not included.Not included.Not included.
SEO packages required 0 Not included. packageNot included. manualNot included. manualNot included. manualNot included. manual

The schema-generator addon outputs an escaped <script type="application/ld+json"> block and the matching SITE_* PHP config snippet, so the Organization, sameAs, ContactPoint, PostalAddress and AggregateRating details flow straight into SchemaBuilder.

Why TiCore v2 Is Different

TiCore v2 pulls together what most PHP stacks scatter across packages and bespoke base templates: an explicit five-tier router with params, constraints, catch-all, named routes and nestable groups; a dependency-free onion middleware pipeline with csrf/auth/guest/apikey aliases; 10 drop-in addons installed by a first-party bin/ticore CLI; and first-party auth and payments (Stripe + PayPal) with no SDKs.

It is secure by default — security headers on every dispatch, traversal-guarded routing, hardened sessions, and a secrets:scan CLI plus gitleaks CI — and ships a config-driven SEO layer (canonical, Open Graph, Twitter card, GA4, and the SchemaBuilder JSON-LD @graph) that other frameworks treat as an afterthought.

Share: 𝕏 Twitter Facebook LinkedIn
Proton VPN — 10 device connections, audited no-logs
Recommended: Proton Unlimited
VPN, encrypted Drive, encrypted Mail, password manager — one bundle. See the full review →