I've just read the PHP section onhttp://projects.webappsec.org/Null-Byte-Injection.The example it provides is pretty dumb - I mean, why would you ever want to include a file based on an outside param without checking it first (for directory traversal attacks, for one)?So, if following standard PHP security practices, such as
- encoding user entered data on display
- validating user entered stuff that works with files
- preventing CRSF
- not running uploads via something that executes PHP
- etc