pieceofcake2 / cakephp
The CakePHP framework
Installs: 357
Dependents: 11
Suggesters: 0
Security: 0
Stars: 2
Watchers: 0
Forks: 78
Open Issues: 0
Requires
- php: ^8.0
- ext-dom: *
- ext-libxml: *
- ext-simplexml: *
- composer/ca-bundle: ^1.5
- php81_bc/strftime: ^0.7.5
- symfony/polyfill-intl-icu: ^1.29
- symfony/polyfill-mbstring: ^1.29
Requires (Dev)
- cakephp/cakephp-codesniffer: ^5.0
- phpstan/phpstan: ^2.1
- phpunit/phpunit: ^9.6
- pieceofcake2/app: ^2.1
- pieceofcake2/phpstan-cakephp2: ^0.2.1
- rector/rector: ^2.1
Suggests
- ext-intl: Required to use IntlDateFormatter instead of strftime, if not Symfony polyfill will be used.
- ext-mbstring: For better performance with multibyte string operations, install the native mbstring extension instead of using the polyfill
- ext-mcrypt: You need to install ext-openssl or ext-mcrypt to use AES-256 encryption
- ext-openssl: You need to install ext-openssl or ext-mcrypt to use AES-256 encryption
Replaces
- cakephp/cakephp: ^2.0
This package is auto-updated.
Last update: 2025-10-05 20:57:32 UTC
README
This is a community-maintained fork of CakePHP 2.x that provides compatibility with PHP 8.0 and newer versions. The original CakePHP 2.x branch reached End of Life in June 2021.
Important
This fork is based on CakePHP 2.10.24. Earlier versions are not supported.
Warning
Do not use CakePHP 2.x for new projects! This fork is only for maintaining existing legacy applications. For new projects, please use CakePHP 5.x which has modern PHP support, better performance, and active development.
CakePHP 2.x Documentation | CHANGELOG
Requirements & Compatibility
PHP Versions
- PHP 8.0, 8.1, 8.2, 8.3, 8.4, 8.5
Database Support
- MySQL 5.6, 5.7, 8.0+ (with
pdo_mysql
extension) - PostgreSQL 9.4+ (with
pdo_pgsql
extension) - SQLite 3 (with
pdo_sqlite
extension) - Microsoft SQL Server 2022+ (with
pdo_sqlsrv
extension)
Required PHP Extensions
mbstring
- Multi-byte string support (optional, uses Symfony polyfill as fallback if not available)intl
- Internationalization support (optional, uses Symfony polyfill as fallback)openssl
- OpenSSL support (optional, required for SSL/TLS connections and encryption)mcrypt
- Mcrypt support (optional, deprecated in PHP 7.1+, only for legacy AES encryption)
Testing
- All tests pass with PHPUnit 9.6 across all supported PHP versions and databases
Installation
Important
This fork requires Composer for installation. Manual installation is not supported.
Install via Composer:
{ "require": { "pieceofcake2/cakephp": "^2.10" } }
Then run:
composer update
After installation, copy dispatcher files from the package to your application:
# Copy web dispatcher files cp vendor/pieceofcake2/cakephp/lib/Cake/Console/Templates/skel/webroot/index.php app/webroot/index.php cp vendor/pieceofcake2/cakephp/lib/Cake/Console/Templates/skel/webroot/test.php app/webroot/test.php # Copy console dispatcher cp vendor/pieceofcake2/cakephp/lib/Cake/Console/Templates/skel/Console/cake app/Console/cake chmod +x app/Console/cake
Note
- This package uses Composer's
replace
directive to replacecakephp/cakephp
. - This ensures that all plugins and packages that depend on
cakephp/cakephp:^2.x
will continue to work correctly with this fork. - Dispatcher files provide better error messages and simplified autoload handling.
Application Skeleton
The application skeleton has been extracted to a separate package: pieceofcake2/app
Planning to migrate to CakePHP 5.x?
If you're planning to upgrade to CakePHP 5.x in the future, you can prepare now by adopting the modern directory structure while still on CakePHP 2.x:
Traditional migration approach (harder):
CakePHP 2.x → CakePHP 5.x
(change everything at once: code + folder structure + APIs)
New gradual migration approach (easier):
Step 1: CakePHP 2.x with traditional structure
↓ (modernize folder structure only)
Step 2: CakePHP 2.x with CakePHP 5.x-style structure ← You can stop here
↓ (upgrade code only)
Step 3: CakePHP 5.x with CakePHP 5.x-style structure
Benefits:
- ✅ Smaller, manageable changes: Separate folder restructuring from code changes
- ✅ Test incrementally: Verify each step works before moving to the next
- ✅ Reduced risk: You can stay on Step 2 indefinitely if needed
- ✅ Team-friendly: Easier for teams to understand and review smaller changes
See pieceofcake2/app
for the modern directory structure compatible with both CakePHP 2.x and 5.x.
Security
SSL/TLS Certificate Validation
This fork uses composer/ca-bundle
for SSL/TLS certificate validation (PR #15):
- System CA certificates: Uses OpenSSL's default certificate bundle when available (
openssl.cafile
oropenssl.capath
) - Fallback bundle: Falls back to Mozilla's CA certificate bundle maintained by composer/ca-bundle
- Automatic updates: CA certificates are kept up-to-date through Composer ecosystem
- No manual maintenance: Removed the outdated static
lib/Cake/Config/cacert.pem
file (last updated in 2016)
This approach ensures that HTTPS connections made by CakeSocket
(e.g., for external API calls) properly validate SSL/TLS certificates using current, trusted root certificates.
Known Vulnerabilities in Original CakePHP 2.10.24
The following security vulnerabilities have been reported in the original CakePHP 2.10.24:
CVE | Description | Status in this Fork |
---|---|---|
CVE-2015-8379 | CSRF protection bypass via _method parameter | ✅ Fixed in c0fb45e, tests in PR #6 |
CVE-2020-15400 | CSRF token fixation (exploitable with XSS) | ✅ Fixed in PR #5 |
Note
- CVE-2015-8379: The fix has been fully applied with comprehensive test coverage for
_method
parameter handling and custom HTTP methods. - CVE-2020-15400: Fixed by implementing HMAC-signed CSRF tokens that are cryptographically bound to the application. Tokens are now signed with the application's Security.salt, preventing token fixation attacks while maintaining backward compatibility with existing tokens.
Migration Guide
Prerequisites
Before migrating to this fork, ensure:
- Your application is running on PHP 7.4
- You're using CakePHP 2.10.24 (earlier versions are not supported)
- Your application uses Composer for dependency management
From Original CakePHP 2.x
- Update to CakePHP 2.10.24 first: If you're using an earlier version, update to
cakephp/cakephp:2.10.24
on PHP 7.4 first - Ensure PHP 7.4 Compatibility: Your application must be fully working on PHP 7.4 before migrating to PHP 8.x
- Update Composer: Replace
cakephp/cakephp
withpieceofcake2/cakephp
in yourcomposer.json
- Upgrade PHP: Update your PHP version to 8.0 or newer
- Test Thoroughly: Run your application's test suite to ensure compatibility
Breaking Changes
1. Composer-Only Installation Required (PR #14)
Breaking Change:
- Non-Composer installation is no longer supported
- Dispatcher files (
app/webroot/index.php
,app/webroot/test.php
,app/Console/cake
) require Composer autoload - Removed manual
CAKE_CORE_INCLUDE_PATH
detection from dispatcher files - Removed
include_path
manipulation logic - Removed legacy
app/Vendor/cakephp/cakephp
path detection - Removed
app/Console/cake.bat
andapp/Console/cake.php
(Windows batch file and PHP wrapper no longer needed)
Migration:
- Ensure you're using Composer for dependency management
- Copy updated dispatcher files from
vendor/pieceofcake2/cakephp/lib/Cake/Console/Templates/skel/
to your application:cp vendor/pieceofcake2/cakephp/lib/Cake/Console/Templates/skel/webroot/index.php app/webroot/index.php cp vendor/pieceofcake2/cakephp/lib/Cake/Console/Templates/skel/webroot/test.php app/webroot/test.php cp vendor/pieceofcake2/cakephp/lib/Cake/Console/Templates/skel/Console/cake app/Console/cake
- Remove old dispatcher files if present:
rm -f app/Console/cake.bat app/Console/cake.php
- Run
composer install
to ensure all dependencies are properly loaded
2. Cache Engines Removed (PR #4)
Breaking Change:
- Xcache support has been removed (not compatible with PHP 7.0+)
- Wincache support has been removed (not actively maintained for PHP 8.x)
Migration:
- If using these cache engines, migrate to Redis, Memcached, or APCu
3. Database Driver Methods Added (PR #3)
Breaking Change:
- New methods added to database drivers (may cause issues if you have custom driver implementations)
MySQL Driver (Mysql.php):
getVersion(): string
- Returns MySQL/MariaDB/Aurora MySQL versiongetServerType(): string
- Returns 'MySQL', 'MariaDB', or 'Aurora MySQL'utf8mb4Supported(): bool
- Checks utf8mb4 character set supportintegerDisplayWidthDeprecated(): bool
- Checks if integer display width is deprecated (MySQL 8.0.17+)
PostgreSQL Driver (Postgres.php):
getVersion(): string
- Returns PostgreSQL version
Migration:
- If you have custom database drivers extending these classes, implement these methods
4. Database Charset Configuration Changes (PR #11)
Breaking Change:
- Character set configuration moved from
SET NAMES
to DSN connection options - MySQL: Charset now in DSN (e.g.,
mysql:...;charset=utf8
) - PostgreSQL: Client encoding in DSN options (e.g.,
pgsql:...;options='--client_encoding=UTF8'
) - PostgreSQL:
sslmode
parameter is now optional in DSN
Migration:
- No action required - changes are backward compatible
setEncoding()
methods still work for runtime changes- More efficient connection setup with charset in DSN
5. SQL Server Driver Updates (PR #9)
Breaking Changes:
5.1 Configuration Format
-
Schema-based configuration: Use schema mapping instead of multiple databases
// Old approach (still works) 'database' => 'cakephp_test2' // New recommended approach 'database' => 'cakephp_test', 'schema' => [ 'default' => 'dbo', 'test2' => 'test2', 'test_database_three' => 'test3', ]
-
Connection options: SSL/TLS options now in
options
array'options' => [ 'TrustServerCertificate' => 'yes', 'Encrypt' => 'no', ]
-
Port configuration: Specify port separately (automatically appended to server)
5.2 Method Signature Changes
describe($model): array
- Now has explicit return typeinsertMulti()
- Now returnsbool
instead ofvoid
Migration:
- Update SQL Server configuration to use schema mapping (optional but recommended)
- Move SSL/TLS options to
options
array if using inline DSN - If extending Sqlserver class, update method signatures to match
6. Mail Function Updates (PR #10)
Breaking Change:
MailTransport::_mail()
method signature changed with strict types- Old:
protected function _mail($to, $subject, $message, $headers, $params = null)
- New:
protected function _mail(string $to, string $subject, string $message, array|string $headers = [], string $params = ''): void
Migration:
- No action required unless you've extended
MailTransport
class - If extending, update method signature to match strict types
7. CSRF Token Security Enhancement (PR #5)
Breaking Change:
- New CSRF tokens use HMAC-SHA1 signatures (prevents CVE-2020-15400)
- Token format changed to base64-encoded (16-byte value + 20-byte HMAC)
Migration:
- No action required - automatic and backward compatible
- Existing tokens continue to work
- New tokens generated with enhanced security
8. strftime() Replacement
Breaking Change:
strftime()
deprecated in PHP 8.1, removed in PHP 8.2- Now uses
IntlDateFormatter
via Symfony's ICU Polyfill - Fallback to
PHP81_BC\strftime
for compatibility
Migration:
- Most date formatting works identically
- Edge cases may produce slightly different output
- Test date formatting in your application
9. Development Tools Updates
9.1 PHP CodeSniffer (PR #8)
- Updated from 1.0.0 to 5.3
- Applied automatic formatting fixes
Migration:
- Development-time change only
- Update
phpcs.xml
if you have custom coding standards
9.2 PHPUnit Compatibility
- Framework tests migrated to PHPUnit 9.6
- All deprecated PHPUnit features fixed
Migration:
- Update your tests if using deprecated PHPUnit features
10. PHP 8 Syntax Modernization (PR #7)
Breaking Change:
- Codebase modernized to PHP 8 syntax
Changes:
array()
→[]
get_class()
→::class
list()
→[]
for array destructuringdirname(__FILE__)
→__DIR__
- Added null coalescing operators
- Native
str_contains()
,str_starts_with()
,str_ends_with()
Migration:
- No action required - syntax changes only, no functionality changes
11. CookieComponent 'cipher' Type - Insecure and Should Be Replaced
Breaking Change:
- The default
CookieComponent
encryption type'cipher'
is horribly insecure
Warning
As stated in the CakePHP source code comments:
"Cipher is horribly insecure and only the default because of backwards compatibility. In new applications you should always change this to 'aes' or 'rijndael'."
Why 'cipher' is insecure:
- Uses
Security::cipher()
with XOR encryption (cryptographically weak) - Uses
Security.cipherSeed
with undefined float-to-int casting behavior - The seed value:
mt_srand((int)(float)Configure::read('Security.cipherSeed'))
has no guaranteed consistency - Not suitable for protecting sensitive data
Migration:
// OLD (insecure - DO NOT USE) public $components = [ 'Cookie' => [ 'type' => 'cipher' // Default, horribly insecure ] ]; // NEW (recommended) public $components = [ 'Cookie' => [ 'type' => 'rijndael' // or 'aes' ] ];
Important: Changing encryption type will invalidate existing cookies. Plan your migration strategy accordingly (e.g., support both types during transition period).
Running Tests
Using Docker (Recommended)
# Copy test database configuration cp lib/Cake/Test/Config/database.php app/Config/database.php # Start services docker-compose up -d # Install dependencies docker-compose exec web composer install # Run tests with specific database DB=mysql docker-compose exec web ./vendor/bin/phpunit DB=mysql80 docker-compose exec web ./vendor/bin/phpunit DB=pgsql docker-compose exec web ./vendor/bin/phpunit DB=sqlite docker-compose exec web ./vendor/bin/phpunit DB=sqlsrv docker-compose exec web ./vendor/bin/phpunit
Local Installation
# Install dependencies composer install # Set up database configuration cp app/Config/database.php.default app/Config/database.php # Edit database.php with your database credentials # Run tests ./vendor/bin/phpunit
Contributing
We welcome contributions! Please:
- Fork the repository
- Create a feature branch
- Ensure all tests pass
- Submit a pull request
Reporting Issues
If you find any PHP 8.x compatibility issues, please:
- Create an issue with a clear description
- Include PHP version and error messages
- Provide minimal code to reproduce the issue (if possible)
Project Goals
This fork aims to:
- ✅ Maintain PHP 8.x compatibility
- ✅ Fix critical bugs and security issues
- ✅ Keep tests passing on all supported platforms
- ✅ Support gradual migration path to CakePHP 5.x
- ❌ Add new features (focus is on compatibility and migration only)
License
This project maintains the original MIT License from CakePHP. See LICENSE for details.
Acknowledgments
- Original CakePHP 2.x framework by cakephp/cakephp
- Initial PHP 8 compatibility work by kamilwylegala/cakephp2-php8
- All contributors who help maintain this fork