Last checked and updated on 10 Jun 2026
What Is New in CakePHP 2.7
CakePHP 2.7 is a maintenance release focused on security updates, bug fixes, and preparing the framework for its final End of Life. It introduces several deprecations to guide developers towards modern practices and CakePHP 3.x.
| Category | Key Changes |
|---|---|
| Security | Enhanced cross-site request forgery (CSRF) protection and cookie encryption. |
| Deprecations | Marked several methods and classes as deprecated, including core components and helpers. |
| API & Behavior Changes | Updates to SecurityComponent, CookieComponent, and FormHelper. |
| Bug Fixes | Corrections for routing, model associations, and view rendering issues. |
| Improvements | Better PHP 7 compatibility and internal code cleanup. |
How is Security Enhanced in 2.7?
The primary security upgrade is in the SecurityComponent. It now automatically enables the CSRF protection features that were previously opt-in. This change makes applications more secure by default against forged requests.
In practice, you might see CSRF errors if your forms weren't previously using SecurityComponent or its unlockedFields. The CookieComponent also received updates to its encryption handling, strengthening how sensitive data is stored client-side.
What Methods Should I Stop Using?
This release deprecates a significant set of methods to signal the path towards CakePHP 3.x. Key deprecations include the entire Cache engine class, the String class (use CakeText instead), and several View helpers like JsHelper and RssHelper.
Common Deprecated Calls
Controller::postConditions()View::loadHelpers()(use the$helpersproperty)Hash::numeric()andHash::dimensions()- Static calls to
Cache::*()methods
Your application will still run, but these calls will trigger deprecation notices. It's a clear signal to refactor that code now.
Are There Breaking Changes in the API?
Yes, there are a few behavioral changes that could break existing functionality if you were relying on specific edge cases. The FormHelper::input() method no longer generates a <div> wrapper by default, which can affect your form layout CSS.
Routing behavior was adjusted for consistency. For example, using Router::url() on an array with a missing 'controller' key will now throw an exception instead of failing silently. This matters because it catches configuration errors earlier in development.
What Bug Fixes Are Most Relevant?
The fixes target common pain points in the 2.x lifecycle. Model association conditions now handle NULL values more predictably. Issues with pagination and the containable behavior in complex queries have been resolved.
View rendering saw fixes for nested layouts and block management. There were also corrections to the Set utility class (a predecessor to Hash) to align its output with documented behavior, preventing subtle data transformation bugs.
FAQ
Is upgrading to CakePHP 2.7 required for security?
Yes. This release includes important security patches for the CSRF and Cookie components. Running an earlier version of the 2.x branch exposes your application to known vulnerabilities that are now fixed.
My forms are failing with blackhole errors after upgrading. What's wrong?
This is likely due to the now mandatory CSRF protection in SecurityComponent. Ensure all your forms are created with FormHelper (which adds the required token) and review any fields you may need to unlock using $this->Security->unlockedFields.
I see many deprecation warnings. Can I ignore them?
You can temporarily, but you shouldn't. CakePHP 2.7 is the last planned release before the 2.x branch reaches End of Life. These warnings point to APIs that will be removed entirely in the future, breaking your application. Plan to refactor away from deprecated features.
What should I use instead of the deprecated Cache class?
You should transition to using the Cache class instance methods. Instead of Cache::write(), use Cache::write() on an engine instance obtained via Cache::engine('default'). The new approach is more flexible and aligns with CakePHP 3's design.
Does this release improve performance?
Not directly. The focus was on security, stability, and deprecations. Some internal cleanup might offer minor benefits, but the main goal is to provide a secure and stable foundation for the final phase of the 2.x series.