Unfortunately I've reached a bit of a dead end. Due to various legacy and other reasons, I can't upgrade a system to PHP 5.4. And according to Facebook, I need 5.4 to run the latest SDK.

I'm willing to settle for a lower SDK, but:

1. Will I be okay if I use an older SDK?
2. Which SDK should I use?

Bonus Question:

3. What should the composer path be changed to to use the old SDK? Currently I have:

   "facebook/php-sdk-v4" : "4.0.*"

You can still use the old one: https://github.com/facebookarchive/facebook-php-sdk

The api calls are the same. The new one is just the recommended one. You can even use your own CURL calls without any SDK.

You should use the latest one though, it may be a good idea to change your provider. PHP 5.4 should be an absolute minimum every serious provider supports.

For the old PHP, you don´t really need composer. Just download it and put in your server.

You can still use the deprecated (but still working) facebookarchive/facebook-php-sdk.

And I don't think this will change soon, because that code was forked over 3000 times at Github and there are probably still ten thousands of apps using it.

Here a successfull user information fetch with the old Facebook PHP SDK (tested at my server with PHP 5.3) -

It is year 2016 and it still works - both as Canvas callback and as OAuth callback:

<?php

require_once('facebook-php-sdk-3.2.3/src/facebook.php');

const TITLE      = 'My amazing app';
const REDIRECT   = 'https://example.com/myapp/';

$client = new Facebook(array(
        'appId'  => REPLACE_ME,
        'secret' => REPLACE_ME,
));

if (isset($_REQUEST['logout'])) {
        $client->destroySession();
        header('Location: ' . REDIRECT);
        exit(0);
}

if ($client->getUser()) {
        try {
                $me = $client->api('/me?fields=id,first_name,gender');
                $body = '<PRE>' . print_r($me, TRUE) . '</PRE>';
        } catch (FacebookApiException $ex) {
                error_log($ex);
                $body = '<PRE>' . htmlspecialchars($e->getMessage()) . '</PRE>';
        }
} else {
        $body = sprintf('<P><A HREF="%s">Login</A></P>', $client->getLoginUrl());
}

?>

<!DOCTYPE HTML>
<HTML>
<HEAD>
        <TITLE><?= TITLE ?></TITLE>
</HEAD>
<BODY>
        <?= $body ?>
        <P><A HREF="<?= REDIRECT ?>?logout">Logout</A></P>
</BODY>
</HTML>

Do not forget to -

1. Get app id and secret at Facebook console
2. Register the https://example.com/myapp/ as Canvas callback (and also optionally as valid OAuth2 redirect URL) at the same place

Another alternative would be to use the Facebook SDK for JavaScript (here with jQuery):

<!DOCTYPE HTML>
<HTML>
<HEAD>
        <TITLE><?= TITLE ?></TITLE>
        <SCRIPT SRC="//ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></SCRIPT>
        <SCRIPT>
                $(document).ready(function() {
                        //$.ajaxSetup({ cache: true });
                        $.getScript('//connect.facebook.net/en_US/sdk.js', function() {
                                FB.init({
                                        'appId'  : '<?= APP_ID ?>',
                                        'xfbml'  : false,
                                        'cookie' : true,
                                        'status' : true,
                                        'version': 'v2.6'
                                });     
                                FB.login(function(response) {
                                        if (response.authResponse) {
                                                console.log('Fetching your information.... ');
                                                FB.api('/me?fields=id,first_name,gender', function(response) {
                                                        console.log(response);
                                                });
                                        } else {
                                                console.log('User cancelled login or did not fully authorize.');
                                        }
                                });
                        });
                });
        </SCRIPT>
</HEAD>
<BODY>
        <?= $body ?>
        <P><A HREF="<?= REDIRECT ?>?logout">Logout</A></P>
</BODY>
</HTML>

But using PHP SDK is preferable though - because the information is already there (via POST or HTTP redirect) and because the JavaScript SDK shows a login popup or darkens the page every time the page is loaded and actually requires user click to be shown without browsers blocking it.

No, you are not risking anything by using the older version of php-sdk. As was noted, you can write your own curl and not use the SDK. That is how my App was written until 2013.

Here's the old version:

{
    "require": {
        "facebook/php-sdk" : "3.2.3"
    }
}

Then:

php composer.phar require facebook/php-sdk:3.2.3