We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.

Phalcon v1 / PHP 5.3

Hypothetically, if I was forced into a hosting situation where I had to use PHP 5.3.3, and phalcon 1, are there any security concerns to be aware of? Or is it just missing out on performance / shiny new features?

thanks : )



I can't give you a valid answer regarding phalcon itself, but for sure, regarding php, it's a bad idea because it isn't supported anymore: https://php.net/supported-versions.php

Just don't do this. Just don't be forced, don't agree to do this and that's it :)

edited Dec '16

I'll also chime in with my misgivings... Using a crucial piece of software that old (any, not just PHP) would basically render your project a free meal for zombies and hackers. If a hosting company only provides php5.3, steer clear of them, there will probably be other issues too. If it's a limitation imposed by your customer, explain the extreme risks of an outdated software.

Regarding your actual question, the devs have always payed attention to security considerations, so you'll have more issues with php5.3 than the framework itself. If you still want to go down that suicidal road, you can always sift through the release changelogs on github ;]

edited Dec '16

if i have to use php 5.3 i will probably not use any framework tbh


i mean if its a new project i wont even bother with php at this point. node / go /ruby / angular + python ... probably its much better choice in this case scenario in 2016+

@Izo could you elaborate pls?

I'm under the impression that there are no serious differences between those language regarding development speed, performance and integration. GO may be the exception for it's performing a bit better and the whole organizing/OOP principles are peculiar (for me at least)

Is PHP(7) really outdated? If so, why?

What you mean outdated ? No it's not, normal language as others.

Yes, that's my opinion too. But recently, I've seen a lot of blogs praising GO and NodeJS versus PHP. I have yet to see a convincing benchmark though... so I was only asking why he thinks PHP is not worth it in 2016+ :D

Well i like PHP much more than JS... PHP imho is overall better language than JS.

edited Dec '16

what i ment is that php 5.3 is really outdated, and probably this website will never be updated. If other languages are not an option i would not use frameworks because they wont get updated ( since they all dropped php 5.3 support or if they didnt they will any moment ). If he is stuck with 5.3 i guess would be better to use some up-to-date language. He can use angular for frontend and even if you dont know node you can learn how to recieve and send jsons in just a few hours/days.

I am not a fan of nodejs because of those server crashes, yes there are many workarounds for that but .. come on.. and the other thing with node is that it has nothing to do with the other languages, because everything is a callback, of a callback of a callback and so on. But for simple stuff like api shizzle sohuld be fine.

At least that is my opinion ...

Thanks for the input everyone : )

I should have clarified, it is an existing busy-ish site (serving ~10 million pageviews a month including searchbots) , and we are moving servers for "commercial" reasons, the site currently runs php5.6 with phalcon 3

edited Dec '16

I'm sick and tired of those 'hosting company experts' which are sleeping under their roof for a winter dream of 10-15 years. It's the same with one of my projects - they have ages old Apache and PHP 5.4 only. So all I can do is put Phalcon v2.0.13 there. Their entire stack is a security black hole, but they still want the project. Well, what can you do - just do it in old and unsupported stack but issue a big red warning - in case of any trouble, do not call me, it's your own shit.

With Java is even worse, with that many companies still stuck with JRE 1.6, and if you configure your API with a decent TLS config, they cannot connect as JRE 1.6 does not support DHE keys > 1024bits, and nowdays I use 4096 bits by default.

It's like that - people who do those jobs are waaaay late and should not be dealing with that stuff at first place, for obvious reasons.