Which Facebook SDK to use with PHP 5.3?

You can still use the old one: https://github.com/facebookarchive/facebook-php-sdk

The api calls are the same. The new one is just the recommended one. You can even use your own CURL calls without any SDK.

You should use the latest one though, it may be a good idea to change your provider. PHP 5.4 should be an absolute minimum every serious provider supports.

For the old PHP, you don´t really need composer. Just download it and put in your server.

A year 2020 update to my answer -

I am sick of Facebook first deprecating the PHP version, then its complete PHP SDK and I have also noticed, that with Facebook Javascript SDK it is possible to pass a fake Facebook user id to my Facebook Canvas web app.

So I have written a pure PHP solution for fetching basic user information - on the server side and without using any external libraries.

My script is based on the fact that Facebook POSTs a signed_request parameter to all Canvas web apps.

You can see it if you add the following line at the top of the PHP script:

error_log(print_r($_POST, TRUE));

By parsing the "signed_request" parameter you get an "oauth_token", which can be used to fetch the "/me" GRAPH API page.

Here is my script and remember to replace the APP_ID and APP_SECRET by the values from the Facebook dashboard:

const APP_ID     = '1234567890';
const APP_SECRET = 'abcdefghijk';

$data            = parse_signed_request($_POST['signed_request']);
$oauth_token     = $data['oauth_token'];
$user_id         = $data['user_id'];
$photo           = "https://graph.facebook.com/$user_id/picture?type=large";

$me = json_decode(file_get_contents("https://graph.facebook.com/me?access_token=$oauth_token"), true);
list($given_name, $family_name) = explode(' ', $me['name'], 2);

# TODO use the $user_id, $given_name, $family_name, $photo in your web app!

function parse_signed_request($signed_request) {
    list($encoded_sig, $payload) = explode('.', strtr($signed_request, '-_,', '+/='), 2);

    $sig  = base64_decode($encoded_sig);
    $data = json_decode(base64_decode($payload), true);

    $expected_sig = hash_hmac('sha256', $payload, APP_SECRET, true);
    if ($sig !== $expected_sig) {
        exit('Wrong sig');
    }

    return $data;
}