Slim 2

  • Update unit tests for JSON decoding session cookie data
  • Update build status indicator in README file
  • Escape HTML in PrettyExceptions message and stack trace
  • Fixes object injection vulnerability in SessionCookie.php
  • Added new HTTP status codes
  • Added default HTTP request port for Google App Engine
  • Improved URI parsing
  • Miscellaneous improvements

You can review commits at


You can now use redirectTo when you want to redirect to a named route. redirectTo is a shortcut for redirect(urlfor(..))

$app->get('/', function () {})->name('home');
$app->get('/home', function () use ($app) {

Route::via() and Route::appendHttpMethods()

Allow passing array of methods to via() and appendHttpMethods()

$app->get('/', function () {
    echo "This route only available on GET and POST requests";
})->via(array('GET', 'POST'));

Other Changes

  • Fix failed test because of hardcoded directory separator on Windows
  • Add PHP 5.6 to Travis CI tests
  • Added how to run Slim on Google App Engine/Cloud Platform to the README.markdown
  • Lazy-initialize callables in \Slim\Route::setCallable()
  • Fix \Slim\Http\Util::parseCookie() for cookie values that contain "="
  • Improved debug stack trace output
  • Allow default values for \Slim\Http\Request::params()
  • Fix X-Forwarded-For header detection
  • Require phpunit as Composer dev dependency
  • Improve controller method name detection in \Slim\Route::setCallable()
  • Re-merge commits from a mistakenly-deleted earlier branch
  • Add (string) cast in encodeSecureCookie call to hash_hmac
  • Routes can be case-insensitive based on a config setting.
  • Try running unit tests on HHVM
  • Let Slim use the $_SERVER["HTTP_CONTENT_TYPE"] value for use with the PHP built-in server.

Class controllers

You may now use a controller class instance as a callback for your Slim app routes.

$app->get('/hello/:name', '\Greeting:sayHello');

In this example, when the app receives a request for "/hello/Josh", it will instantiate class \Greeting and pass the value "Josh" into its sayHello method.

Note that we separate the class name and the class method with a single ":" colon. This is a unique syntax used by Slim to implement this functionality. Do not confuse this with the "::" syntax used for static method calls.

Request parameter defaults

When fetching request data with the \Slim\Http\Request object's get(), post(), put(), patch(), or delete() methods, you can define the default value you want if the requested data is not available. For example:

$app->get('/books', function () use ($app) {
    $value = $app->request->get('genre', 'fiction');

In this example, we expect the HTTP request to have a URL query parameter genre. If this query parameter does not exist, we will use "fiction" as the default value.

View Template Data

You may now pass data into a view template with \Slim\View::display() and \Slim\View::fetch().

// Fetch a rendered template into a variable
$renderedTemplate = $app->view->fetch('my-template.php', ['foo' => 'bar']);

// Echo a rendered template to the output buffer
$app->view->display('my-template.php', ['foo' => 'bar']);

Other Changes

  • Remove mcrypt dependency
  • Add PHP 5.5 to Travis CI tests
  • Improve typehinting with popular PHP IDEs
  • Ensure application view template directory is defined on view construction
  • Add HTTP 418 status code to \Slim\Http\Response

Fixes \Slim\Environment path parsing issue for Windows users.

Fix a regression with \Slim\Environment path parsing. This regression affected developers relying on Apache Aliases or filesystem symlinks.

HipHop VM users must now explicitly define the SCRIPT_NAME server variable in their HHVM configuration file, at least until HipHop VM sets this server variable correctly on its own.

This is a maintenance release and remains backward-compatible with Slim 2.* applications.

  • Let \Slim\Flash implement Countable
  • Fix \Slim\Middleware\PrettyExceptions error when custom Log defined
  • Omit response body for HEAD requests
  • Add HHVM compatibility

This is a maintenance release with several bug fixes and improvements. All changes are backwards compatible with existing Slim 2.x applications.

  • Remove encryption concerns from \Slim\Middleware\SessionCookie middleware
  • Fix HTTP method override detection via X-HTTP-Method-Override header
  • Fix padding removal in \Slim\Http\Util::decrypt
  • Prevent XEE attack vector in \Slim\Middleware\ContentTypes::parseXml
  • Fix \Slim\Slim::urlFor when used with escaped regular expression characters
  • Add \Slim\Slim::_isset and \Slim\Slim::__unset methods
  • Add \Slim\Helper\Set::protect method to store Closure values that should not be invoked
  • Fix encrypted cookie expiration time during serialization into HTTP header
  • Fix Last-Modified and Expires header date format
  • Fix \Slim\View::setData so that it protects Closures used as template variables
  • Added route groups
  • Added resource locator
  • Added HTTP PATCH method support
  • Added new \Slim\Helper\Set interface
  • Fixed XSS exploit in \Slim\Slim::urlFor method
  • Simplified default error handler \Slim\Slim::handleErrors
  • Removed \Slim\Middleware\PrettyExceptions when not in debug mode
  • Let HTTP headers retain HTTP_ prefix if present
  • Added \Slim\Helper\Set interface to \Slim\Http\Headers and \Slim\Http\Cookies
  • Updated \Slim\Slim so that environment, request, response, router, log, and view are public properties.
  • Updated \Slim\Http\Request and \Slim\Http\Response so that headers and cookies are public properties that implement \Slim\Helper\Set.
  • Added \Slim\Http\Response methods setStatus(), getStatus(), setBody(), getBody(), and getLength()
  • Updated \Slim\Http\Response object so that its cookies and headers are not serialized and encrypted until the very end of the app lifecycle.
  • Updated \Slim\Log with PSR-3 interface
  • Deprecated \Slim\Log::warn(), replaced with \Slim\Log::warning()
  • Deprecated \Slim\Log::fatal(), replaced with \Slim\Log::critical()
  • Deprecated \Slim\Http\Request methods cookies() and headers()
  • Deprecated \Slim\Http\Response methods headers(), header(), length(), body(), status()
  • Deprecated \Slim\Http\Response interfaces ArrayAccess, Countable, and IteratorAggregate