Without proper care, developers can leave their CakePHP website open to cross-site scripting attacks. Controllers using scaffold functions do not take care to sanitize data, and leaves the website vulnerable. When using the bake tool in the console, it generates controllers as simple as the scaffold version. Some suggest storing the unsanitized data and escape the dangerous characters on output. In a perfect world I would agree with this approach, but it is easy to forget to sanitize output every time, or for an amateur developer to be ignorant of the dangers.
CakePHP is one of my favorite web frameworks. There is one glaring security hole that caught my attention though. Without proper care from the developer, users have the potential to tamper with data sent with forms. For example, a common operation is to take the value from a form and save it like this:
Let's say the user manipulates the form and adds this line:
There are many PHP frameworks out there, but 2 of my personal favorites are Drupal and CakePHP. WordPress is another popular in the world, and I have done many projects with it. I will say that WordPress has great documentation and a clean API, but it is rather limited in its capabilties. CakePHP and Drupal have proven to be flexible, scalable, and perfect for certain uses. The bottom line in this debate is that both are great, and both serve their purposes. Between CakePHP and Drupal, I feel a project of any size can be accomplished.