freenode_anonmon777[m]: Here are a few answers:
Sorry, I'm not aware of good PHP/Node libraries but am sure there will be one.

Janus attack is still possible. There are several approaches to preventing it but AFAIK decisions have not been made yet: https://www.reddit.com/r/Monero/comments/kswcgh/is_janus_attack_still_possible/

Janus attack is quite edge case and expensive for the attacker usually AFAIK.

Most merchants will use subaddresses rather than integrated addresses, I think. (certainly in my experience).

There isn't anywhere to put a "private message", really. Do not use `tx_extra`, it is frowned upon because it bloats the blockchain. Also tx_extra may well be removed in a future monero upgrade. Bear in mind there are man, many merchants who integrate Monero without needing any private message stored in the transaction.