Custom PHP development and legacy modernization - the kind you can read, audit and own.
Intention InfoService builds custom PHP without a heavy framework - applications, APIs, small tools and endpoints - and modernizes the legacy PHP you already run, by a small senior team, in typed, tested, standard PHP at transparent published fixed prices. Most PHP a buyer is shown is the cheap kind; this page is about the other kind, and about how to tell the difference. You own the code outright, with no lock-in. For startups, SMBs and enterprises worldwide.
Fixed price, code you own, no lock-in.
- You own 100% of the code
- Published fixed pricing
- Typed, tested, standard PHP
PHP in 20268.5
- Language
- PHP 8.4 / 8.5, typed
- Tooling
- Composer, PSR, PHPStan, Pest
- Runtime
- PHP-FPM, or FrankenPHP
- The real work
- Legacy PHP, done properly
A supported line, under Composer, tested and type-checked - not the cPanel box its reputation is stuck on.
Raw, custom and legacy PHP - not content sites
This page is the plain-PHP and legacy lane: bespoke PHP without a heavy framework, APIs and small tools, and the whole job of keeping and modernizing PHP you already run. A typical engagement is one of these:
Custom PHP without a framework
Bespoke PHP applications where a full framework would be overhead you do not need - tight control over what runs, fewer moving parts, no framework upgrade treadmill. The discipline stays the same: typed, tested, under Composer.
APIs, services and endpoints
REST and JSON APIs, webhook receivers and single-purpose services in plain PHP or a micro-framework like Slim - a clean, documented surface for a front end, a mobile app or another system to talk to.
Small tools, scripts and CLIs
The one-endpoint internal tool, the cron job, the import script, the snippet embedded in an existing PHP page - small utilities done to the same bar as an application, not thrown together and forgotten.
Legacy PHP rescue & modernization
The biggest lane: an old codebase on an end-of-life PHP line, often with no framework or an old one and no tests. We move it forward incrementally, with the lights on, instead of a big-bang rewrite.
Security & version upgrades
Getting a codebase off an unsupported PHP line and onto one that still gets security patches, closing the classic injection and escaping gaps along the way. Often the single highest-value, lowest-drama piece of work.
Maintenance & support
Ongoing care for an existing custom-PHP codebase - dependency and version updates, bug fixes and small features - so a running system stays healthy instead of drifting quietly toward the danger zone.
When it is really a framework, a CMS or a store
Plain PHP is the right base for small, tightly-scoped work and for modernizing what already exists. When your project is really one of these, we will point you to the right place rather than talk you into hand-rolling it:
A new custom application you want built on a framework - Laravel, for building a new custom application on a framework is usually the better call - shared conventions, an ORM, auth and an admin story in the box, and a large hiring pool. Plain PHP is the right base for small, tightly-scoped work and for modernizing what already exists; a greenfield application with real scope belongs on the framework.
A content, blog or brochure site your team edits - WordPress, when the job is content not code is the honest choice - still PHP, just built for editors with themes and plugins rather than a codebase. We will not sell you a bespoke build where a CMS is what you actually need.
An online store or shopping cart - WooCommerce, the self-hosted PHP store is where PHP e-commerce lives - a catalog, cart and checkout you own on WordPress. Building all of that from raw PHP is rarely worth it when a mature store platform exists.
Cheap PHP and good PHP are the same language. The difference is in the code, and you can read it.
PHP has a floor and a ceiling, and most of what a buyer is handed sits near the floor - not because the teams who wrote it failed, but because PHP is very good at making code that just works under deadline, and a lot of that code is still online. The problem is that on the surface it all looks the same. So instead of asking you to trust that ours is the good kind, here are the tells that separate the two - a ruler you can hold up against any PHP you are ever shown: a rival's quote, a freelancer's last commit, or the codebase you already own and are a little afraid of.
| The cheap kind, the tells | Done right, the tells |
|---|---|
| An end-of-life PHP version, with no more security patches coming | A supported line, its currency shown by 8.4 and 8.5 features |
| Dependencies hand-copied into the repo, no Composer | Composer with a committed lockfile and PSR-4 autoloading |
| SQL built by pasting user input into strings | Parameterized queries through PDO, output escaped at render |
| No tests, and nothing runs in a pipeline | Tested with PHPUnit or Pest, run on every change in CI |
| require and include spaghetti, files nobody can map | A PSR-4 structure that a static analyser reads clean |
| Everything is a loosely-typed string | Typed properties, enums and readonly, so tools can check it |
Run that column against every PHP quote on your desk. A shop working near the floor cannot publish this table, because their own work fails it - which is exactly why it is worth publishing. And if the code in question is the legacy PHP you already run, this is the same checklist we start a rescue from.
What modern PHP actually gives you
PHP is the load-bearing majority of the web, and the current language is nothing like the one its reputation is stuck on. Here is what it buys you when it is written to the right side of that ruler - and, honestly, when it is the wrong tool.
A typed, analysable language
Typed properties and parameters, enums, readonly, property hooks and a pipe operator in the current line. The footguns that earned the old reputation are opt-out by default now, and a static analyser can prove large classes of them gone.
A real package ecosystem
Composer and Packagist give PHP a mature dependency ecosystem with PSR interoperability standards, so you assemble from well-maintained, auditable libraries instead of copy-pasting code nobody can update.
A talent pool that will still be here
A huge amount of the web runs on PHP, which means a deep hiring pool and long-lived tooling. A codebase in standard, modern PHP is one you can staff and hand over for years, not a niche only its author understands.
Friendly to gradual modernization
You rarely have to choose between leaving PHP frozen and rewriting it. Composer, static analysis with a baseline, and automated refactoring let an old codebase move forward one reviewed step at a time, in production.
Deploys like anything modern
PHP-FPM behind Nginx, containerized with Docker so the environment lives in the repo, and a worker-mode app server when throughput earns it. Modern PHP deployment has nothing to do with files dragged onto a shared host.
Defenses that are well understood
The classic PHP wounds - injection, unescaped output, cross-site request forgery - have standard, checkable countermeasures. Security is a discipline you keep applying, and modern PHP hands you the safe path by default.
When raw PHP is the wrong choice
Plain PHP earns its place on small, tightly-scoped work and on modernizing what already exists. It is the wrong starting point - and we will say so - when you are building a new application with real scope, where hand-rolling routing, auth and a data layer just recreates a private framework only your last developer understood: that belongs on Laravel, the batteries-included PHP framework. When the core of the product is hard real-time at scale, or one JavaScript language across front and back end, Node.js on the event loop is the sharper tool; when it leans on data, automation or machine learning, Python, the data language leads. And if the job is really content your team edits, that is WordPress. Not sure which way to go? We will pick the right stack for the job, not the one this page happens to be about.
Modern PHP engineering, not shared-hosting PHP
There is no live PHP running this static Next.js site to point at, so the proof is the discipline. Everything here is an artifact you can inspect on any vendor's work, ours included - a lockfile, a static-analysis config, a test step, a Dockerfile - which is the whole point: you should never have to take our word for what right looks like.
Typed, modern PHP 8.4/8.5
Typed properties and parameters, enums, readonly, first-class callables, property hooks and asymmetric visibility, and the pipe operator. What you check: open a file and you find type declarations and enums, not mixed everywhere and stringly-typed arrays.
Composer and PSR autoloading
Dependencies managed by Composer with PSR-4 autoloading and a committed lockfile, so the tree is auditable and reproducible - not hand-copied library folders nobody can update. What you check: a composer.json and composer.lock in the repo, and composer audit runs clean or against a tracked list.
PSR and PHP-FIG standards
Written to the shared standards the ecosystem agreed on - PSR-4 for autoloading, PSR-12 for style, PSR-7 and PSR-15 for HTTP messages and middleware where the app is framework-light - so the next engineer already knows the shape. What you check: the code reads like every other modern PHP codebase, so onboarding is fast.
Static analysis in CI
PHPStan or Psalm running at a defined level in the pipeline, with a baseline file so a legacy codebase can adopt it without a stop-the-world rewrite and then ratchet the level up. Whole classes of bug die here, before review. What you check: a phpstan.neon or psalm.xml in the repo and a green analysis step.
Tested with PHPUnit or Pest
Automated tests through the real code paths - PHPUnit, the long-standing standard, or Pest for its lighter syntax - run on every change. On legacy work the first tests pin what the system does today before anything is touched. What you check: a tests directory and a test step that actually runs, not a README promise.
One code style, enforced
Formatting applied by machine with Pint or PHP-CS-Fixer, so style is never a review argument and diffs show intent, not whitespace. Style drift is the first visible symptom of an unmaintained codebase. What you check: a style config in the repo and a formatting check that fails on drift.
Automated upgrades with Rector
Rector applies mechanical, reviewable refactors at scale - upgrading syntax to a newer PHP line, turning PHPDoc into real type declarations, migrating a framework version - as reviewed pull requests, not a hand-edit marathon. What you check: a rector.php config and upgrade commits that are auditable rule by rule.
Parameterized data access
Database access through PDO or a mature query builder with bound parameters, never input concatenated into SQL. This one discipline closes the classic injection vector that gave 2000s-era PHP its name. What you check: grep the codebase and you find prepared statements and bound parameters, not a query with a raw request value in it.
Reproducible runtimes, not a shared host
PHP-FPM behind Nginx as the reliable baseline, containerized with Docker so the PHP version, extensions and config are defined in the repo and rebuild identically on a laptop, in CI and in production. What you check: a Dockerfile and compose file, and an app that boots the same everywhere.
Worker-mode app servers when earned
FrankenPHP in worker mode, RoadRunner, or Swoole and OpenSwoole keep the application booted in memory instead of paying full startup on every request - a real throughput gain, adopted once it is measured and warranted, not by default. What you check: a before-and-after profile, not a benchmark screenshot from someone else.
Raw PHP, held to the same bar
When the right answer is plain PHP with no framework - a small utility, one endpoint, a webhook receiver, a snippet in an existing page - it still gets Composer, types, static analysis and a test. No framework is a scope decision, not permission to lower the bar. What you check: even the one-file tool has a lockfile and a test.
Security as method, at every boundary
Parameterized queries against SQL injection, output escaping against cross-site scripting, CSRF tokens on state-changing requests, validation where untrusted input enters, secrets in the environment not source, and the OWASP Top Ten as a standing review checklist. What you check: named defenses you can point to in the diff, not a secure-by-design badge.
How we take on a PHP engagement: get onto a supported PHP line and signal currency through 8.4 and 8.5 features, put the code under Composer with PSR-4 autoloading, add static analysis and a test suite before changing behavior, format with Pint, and use Rector for the mechanical upgrades. We deploy on PHP-FPM and Nginx in Docker, and reach for a worker-mode app server only once a profile says it will pay. And when the codebase is really a framework job, a CMS job, or a rewrite, we say so: a new custom application on a framework is Laravel, content your team edits is WordPress, and we reach for Node or Python when the workload is theirs.
We won't pretend this page is PHP.
Our React and Next.js pages can say 'this page is the technology, inspect it.' This one can't, and we won't fake it. Our site is a static Next.js and React build, and even the toolchain that compiles it runs on Node, not PHP - so PHP powers none of what you're reading: not the runtime, not the build, not one line, and not even the package manager, which is npm and not Composer. We just handed you the tells for spotting real PHP from a badge, so the single cheapest thing we could do is fail our own test and glue a 'Built with PHP 8.5' sticker on a page that has no PHP in it. We didn't - because the moment we'd fake that is the moment the ruler we just gave you is worth nothing.
The depth on this page is the demo
The capability detail above is written by people who know current PHP practice cold - typed 8.4 and 8.5, Composer and PSR, PHPStan or Psalm in CI, Pest or PHPUnit, Rector for upgrades, PDO for data access. Dated or hand-wavy PHP vocabulary is how you spot an amateur on a PHP page; ours is current, and that competence, stated as capability and never as a result we invented, is the proof that actually travels. Everything we just claimed is a discipline you can verify from an artifact, not a number you have to believe.
You own 100% of the code, IP and data
Standard, plain PHP in your repository, deployed to your host and your database, on your domain - the source, the schema and the data yours from day one. Nothing is held hostage on our side, and there is no account-manager gate between you and your own code.
No lock-in, by construction
Mainstream open PHP on Composer and PSR interfaces, in the conventional layout any competent PHP team can pick up and maintain. We never wrap your app in a bespoke in-house framework only we understand - the thing that turns a freelancer leaving into a crisis.
We take on code we did not write, after an audit
Inheriting a PHP codebase you cannot read is the most common reason people call us. The first step is never a quote - it is a look at what the application actually does, the state of its dependencies and whether it can still be upgraded, so we can tell you honestly whether a rescue or a rewrite is the cheaper path before you commit.
Senior people, direct
You talk to the engineers who write your PHP and design your schema - no offshore hand-off, no juniors learning on your budget. This is the line between the standard, tested PHP we write and the seat-rental PHP the market is full of.
Security-minded, honestly
We build on the defenses modern PHP gives us - parameterized queries and PDO against SQL injection, output escaping, CSRF tokens, hashed auth - alongside OWASP practices and changes shown to you in staging before they reach production. On credentials, the honest picture: there is no company-level or agency-level PHP certification to hold - the Zend Certified PHP Engineer credential is an individual exam a developer sits, not an agency badge - and there is no PHP vendor partner program at all, because no single company owns PHP. It is governed in the open by The PHP Group and the community-funded PHP Foundation, which is something a firm funds, not a badge it earns; that governance is a feature, not a gap, since no vendor can relicense the language or pull it out from under you. We hold no SOC 2 report and no ISO 27001 certification, and there is no HIPAA certification for anyone to hold. If your project legally needs a vendor who carries a formal attestation, we will say so plainly.
A registered company since 2016
Intention InfoService is a real, incorporated company, small and senior on purpose - so a PHP codebase stays architecturally consistent from the first audit to deployment instead of passing between rotating hands.
We ship web software built from the same parts - honestly labelled
Our production work is real, custom web builds - a professional-training platform rebuild and a financial-services site - built from the exact primitives a PHP application is made of: relational data models, an authenticated accounts and roles layer, a searchable, filterable catalog, enquiry and enrolment funnels, a real-time affordability calculator, certificate validation, an admin surface a non-technical team runs itself, and third-party integrations that have to not break. You can see the two builds, labelled for exactly what they are, and never dressed up as PHP projects, because they weren't. What they prove is one true thing: this team ships working software that models real data, handles auth and structured enquiry flows, and holds up in production. The PHP-specific proof is not a borrowed case study - it is the depth on this page and the standard, open PHP and Composer code you would own outright.
How we modernize a legacy PHP codebase - without a big-bang rewrite
The instinct to throw it all away is usually wrong - a rewrite restarts the clock on every bug the old system already fixed. We move it forward incrementally, with the lights on. A new build follows the same assess-first discipline, and most work moves in weeks, not months.
Assess before touching
daysWe map the PHP version, the dependencies, how config and secrets are handled, and where untrusted input reaches SQL - and produce a risk-ordered picture of what is dangerous, what is merely dated, and what is fine. No changes yet.
Onto a supported line, under Composer
firstThe highest-value, lowest-drama step: get the runtime onto a PHP line that still receives security patches, and bring the code under Composer with PSR-4 autoloading so it can adopt modern tooling at all.
Pin the behavior, then analyse
before changesCharacterization tests to lock what the system does today, including its quirks, so later changes have a safety net - then static analysis with a baseline, so no new bugs of known classes get in while we work through the old ones.
Modernize incrementally
in sprintsRector applies the mechanical upgrades - syntax to the target PHP line, PHPDoc into real types - as reviewed pull requests, while we refactor the risky parts by hand behind the tests. The system keeps running the whole time.
Extract seams, or stop
on deliveryWhere the app genuinely needs a framework, we carve out seams and stand up new functionality behind one, replacing the old system piece by piece. Where it does not, we stop - modern raw PHP is a legitimate destination. Either way you own a documented, tested codebase outright.
What to do with the PHP you already own
The most common PHP decision is not which framework to pick - it is what to do with the codebase you inherited. Here is the honest comparison, and the column we reach for first is not the one that bills the most.
| Keep and modernize | Rebuild on a framework | Rewrite in another language | |
|---|---|---|---|
| What it means | Upgrade and refactor the PHP you have, in place | Rebuild the application on a PHP framework | Start over in a different language |
| Best when | The code still runs and the domain logic is sound | You are staying in PHP but raw code has outgrown itself | The workload has genuinely shifted, or the source is lost |
| Time & risk | Lowest - incremental, reversible, the lights stay on | Moderate - a real project, but PHP skills carry over | Highest - it restarts the clock on every solved bug |
| What you own after | The same codebase, now modern, typed and tested | A standard framework application | A new codebase in the new stack |
| Our honest take | Usually the right call, and where we start | When plain PHP is the bottleneck, not PHP itself | A last resort, not a first move |
Most legacy PHP can be walked across the line in place, which is where we start. When plain PHP really is the limit, a new build on Laravel, the framework layer over PHP is the move; when the workload has shifted to real-time or data, a rewrite to another language can be right, but it is the last resort, not the first. Not sure which situation you are in? We will scope it with you, and we will not sell you a rewrite because it bills more.
What custom PHP and legacy modernization cost
No quote wall. A PHP web build is priced by our published web tiers - the same numbers on our pricing page and everywhere else. Most PHP work, though, is legacy: a rescue, an upgrade or a modernization of code you already own, which is genuinely scoped rather than dropped into a tier. You always see the price before you commit.
Starter
1 week
A single-page site or landing page, live fast
Launch Sprint
2-3 weeks
Startups needing a fast, credible site
Growth Site
3-5 weeks
SMBs that want a lead engine
Commerce Sprint
4-6 weeks
DTC / e-commerce brands
MVP Sprint
6-10 weeks
Pre-seed / seed founders
How PHP work maps to these numbers
These tiers price a PHP web build the same way we price any web build - a small tool or endpoint sits at the low end, a fuller custom PHP application at the upper tiers. But a legacy rescue, a version upgrade or a modernization is genuinely scoped work, not a fixed tier, so it enters through our custom software Discovery Sprint from $1,000, which ends in a written scope and a fixed build quote. And ongoing upkeep of an existing PHP codebase - updates, patches and small fixes - runs on a website maintenance care plan, not a fresh build.
See full package details on pricing and our custom software service.
PHP development, answered
What is PHP used for?
PHP is a server-side language that runs a large share of the web. On this page we cover it in its raw, no-framework form: custom PHP applications without a heavy framework, REST and JSON APIs, small tools, scripts and webhook receivers, and - most often - maintaining and modernizing existing PHP codebases. When the job is a new application with real scope, a framework like Laravel is usually the better base, and we will point you there.
What is the difference between PHP and Laravel?
PHP is the language; Laravel is a framework written in PHP. Laravel is modern PHP done the framework way - it ships routing, an ORM, auth and an admin story so you build product instead of plumbing. This page is about PHP itself: plain PHP without a framework, and keeping or modernizing PHP you already run. If you are building a new custom application, that usually belongs on Laravel, which we cover on its own page.
Do I need a PHP framework, or is plain PHP enough?
For a single endpoint, a small utility, a webhook receiver or a snippet embedded in an existing page, plain PHP is often simpler and easier to reason about - fewer moving parts and no upgrade treadmill. The moment you have routing, auth, a data layer and background jobs across more than a couple of engineers, hand-rolling those recreates a private framework only your last developer understood. That is when a real framework earns its keep.
Is PHP outdated?
PHP's reputation was earned honestly - PHP 4 and 5 had an inconsistent standard library and loose-typing footguns. The current language is not that language: PHP 8.4 and 8.5 are typed, have enums and readonly, and are statically analysable. The real risk is not PHP in the abstract, it is which PHP - a codebase on an end-of-life version, untyped and untested, versus a supported line written with modern discipline. We build the second kind.
Is PHP secure?
Insecure is a property of a codebase and the version it runs on, not of the language. The classic PHP wounds were string-concatenated SQL and unescaped output, and they have standard, checkable defenses: parameterized queries through PDO, output escaping, CSRF tokens, validation at every trust boundary, and a supported PHP line that still gets security patches. We apply those as method - security is a practice you keep, not a stamp we put on the finished product, and we never sell a guarantee.
Is my PHP version still safe to run?
The mechanism is what matters: once a PHP version reaches end of life, it stops receiving security patches, so new vulnerabilities in the runtime itself are simply never fixed for you. PHP 5.x and 7.x are long past that line, and PHP 8.1 has now reached it too. If you are on one of those, the highest-value first step is getting onto a supported line - which is usually less disruptive than teams fear, and something we do incrementally.
Should I rewrite my PHP app or modernize it?
Usually modernize. A rewrite restarts the clock on every bug the old system already found and fixed, and the second system almost always overshoots. Most legacy PHP can be walked forward in place - onto a supported version, under Composer, behind tests - with the business still running. A full rewrite is the right call only in narrow cases, like a runtime too old to boot on supported infrastructure or source that is effectively lost. We will tell you honestly which situation you are in.
Can you take over or maintain an existing PHP codebase?
Yes, and the first step is always an audit rather than a quote. We look at what the application actually does, the state of its dependencies, and whether it can still be upgraded, then tell you whether a rescue is cheaper than a rewrite or the opposite. Ongoing upkeep - version and dependency updates, security patches, bug fixes and small features - runs on a monthly care plan, which we cover on our website maintenance service.
PHP vs Node.js vs Python - which backend should I choose?
It depends on the workload, and we build in all three. For a new server-rendered, CRUD-heavy web application in PHP, a framework like Laravel is usually the pick; raw PHP is strongest for small services and for maintaining existing PHP. Node.js is the better fit for real-time features, high-concurrency I/O and one JavaScript language across the stack, and Python leads when the work is data, automation or machine learning. We recommend the fit, not the language this page is about.
Can you build a REST or JSON API in PHP?
Yes. For an API-only service we use plain PHP or a micro-framework like Slim, written to PSR standards - PSR-7 and PSR-15 for HTTP messages and middleware - with validation as the contract, consistent error shapes, and documentation that tracks the code. If the API is part of a larger application with auth, an admin and background jobs, a full framework is usually the better home, and we will say so.
Does this website run on PHP?
No, and we will not pretend it does. This site is a static Next.js and React build, and even the toolchain that compiles it runs on Node, not PHP - so PHP powers none of what you are reading, right down to the package manager, which is npm and not Composer. The proof on this page is not a badge, it is the engineering depth and the standard, open PHP code you would own outright.
Are you certified in PHP, or a PHP partner?
There is no company-level or agency-level PHP certification to hold - the Zend Certified PHP Engineer credential is an individual exam a developer sits, not an agency badge - and there is no PHP vendor partner program at all, because no single company owns PHP. It is governed in the open by The PHP Group and the community-funded PHP Foundation, which is something a firm funds, not a badge it earns. We would rather be the firm whose code you can audit than the firm with the most logos.
How much does PHP development cost?
We publish fixed tiers instead of a quote wall: Starter from $300, Launch Sprint from $1,500, Growth Site from $4,000, Commerce Sprint from $7,000, and an MVP Sprint from $12,000 for a web app with a real backend. A custom PHP build maps onto those the way any web build does. A legacy rescue, upgrade or modernization is scoped through a custom-software Discovery Sprint from $1,000 that ends in a fixed quote. No hourly rates, no mystery pricing.
Do I own the PHP code you write?
Yes - 100% ownership. It is standard, plain PHP on mainstream open-source packages managed by Composer, in your repository and deployed to your own host, so the code, the database schema, the data and the IP are yours from day one, and any competent PHP team can take it over. No proprietary lock-in, no in-house framework only we understand. Fixed pricing and code you own outright are the whole point.
Ready to build or modernize PHP?
Get a fixed-price quote for a custom PHP build, a legacy upgrade or ongoing maintenance - clean, standard PHP you own outright, with no lock-in and no quote wall.

