Hypothetically, if I was forced into a hosting situation where I had to use PHP 5.3.3, and phalcon 1, are there any security concerns to be aware of? Or is it just missing out on performance / shiny new features?
thanks : )
Just don't do this. Just don't be forced, don't agree to do this and that's it :)
I'll also chime in with my misgivings... Using a crucial piece of software that old (any, not just PHP) would basically render your project a free meal for zombies and hackers. If a hosting company only provides php5.3, steer clear of them, there will probably be other issues too. If it's a limitation imposed by your customer, explain the extreme risks of an outdated software.
Regarding your actual question, the devs have always payed attention to security considerations, so you'll have more issues with php5.3 than the framework itself. If you still want to go down that suicidal road, you can always sift through the release changelogs on github ;]
@Izo could you elaborate pls?
I'm under the impression that there are no serious differences between those language regarding development speed, performance and integration. GO may be the exception for it's performing a bit better and the whole organizing/OOP principles are peculiar (for me at least)
Is PHP(7) really outdated? If so, why?
Well i like PHP much more than JS... PHP imho is overall better language than JS.
what i ment is that php 5.3 is really outdated, and probably this website will never be updated. If other languages are not an option i would not use frameworks because they wont get updated ( since they all dropped php 5.3 support or if they didnt they will any moment ). If he is stuck with 5.3 i guess would be better to use some up-to-date language. He can use angular for frontend and even if you dont know node you can learn how to recieve and send jsons in just a few hours/days.
I am not a fan of nodejs because of those server crashes, yes there are many workarounds for that but .. come on.. and the other thing with node is that it has nothing to do with the other languages, because everything is a callback, of a callback of a callback and so on. But for simple stuff like api shizzle sohuld be fine.
At least that is my opinion ...
I'm sick and tired of those 'hosting company experts' which are sleeping under their roof for a winter dream of 10-15 years. It's the same with one of my projects - they have ages old Apache and PHP 5.4 only. So all I can do is put Phalcon v2.0.13 there. Their entire stack is a security black hole, but they still want the project. Well, what can you do - just do it in old and unsupported stack but issue a big red warning - in case of any trouble, do not call me, it's your own shit.
With Java is even worse, with that many companies still stuck with JRE 1.6, and if you configure your API with a decent TLS config, they cannot connect as JRE 1.6 does not support DHE keys > 1024bits, and nowdays I use 4096 bits by default.
It's like that - people who do those jobs are waaaay late and should not be dealing with that stuff at first place, for obvious reasons.