I recently watched video tutorial about Facebook Messenger Bot. To get messages from user who used my messenger bot, facebook send raw json to my server using php://input and then the my server send them back to facebook as a reply messages. Facebook didn't use any parameters for forwarding users messages to my server. I just afraid that someone attacking or gathering info about my server using my messenger bot.
Sample code that Mr.Tutorial used :
file_put_contents("fb.txt", file_get_contents("php://input"));
And here is the video : https://www.youtube.com/watch?v=E2KOqRceipM