String parsing for PHP < 5.3.4 is susceptible to the poison null byte.
The best way to defend against these attacks is to simply sanitize strings by explicitly removing any null bytes they contain.
$sanitized_string = str_replace(chr(0), '', $original_string);