I recently watched video tutorial about Facebook Messenger Bot. To get messages from user who used my messenger bot, facebook send raw json to my server using php://input and then the my server send them back to facebook as a reply messages. Facebook didn't use any parameters for forwarding users messages to my server. I just afraid that someone attacking or gathering info about my server using my messenger bot.
Sample code that Mr.Tutorial used :
file_put_contents("fb.txt", file_get_contents("php://input"));
And here is the video : https://www.youtube.com/watch?v=E2KOqRceipM
php://input isn't any more or less secure than your telephone. If you pick up the phone and someone tells you to burn your house down, do you burn your house down? Probably not.
If you do something like exec(php://input) (psuedocode), you're going to have a bad day. If instead you just read the input stream and properly handle the data you're getting, you're fine.
There's nothing inherently secure or insecure about the input stream. It's what you do with it that matters.