Imagine a user enters their credit card information into a form and presses submit. Unsetting the globals doesn't directly enhance security, as php://input is still available, and credit card information should not be able to be read at all by third party code.

Using openssl (or similar) to secure user input is the answer. Either on all forms, or opted in forms, security should be applied automatically.

It should work like this:

• The public key of the application is injected as a hidden field on the form to be secured.
• A plain text password is also injected into the form.
• JavaScript should encrypt the data on submit, using the public key.
• PHP.Gt/Input should throw an exception and halt execution if the plaintext password is visible in plain text on php://input - this means the JavaScript has not been run.

Working code: https://github.com/g105b/aesjs-test

This issue was created before Stripe had published its cross-origin payment input system, and is now out of scope. If this functionality is required in the future it should be managed in its own repository.