According to what I read online, to prevent null byte attacks I should use the following on all user input:
$data = str_replace(chr(0), '', $data);
Makes sense to me. However, how do you do this on images the user has uploaded via form? I don't have much experience dealing with images like this.
I'm assuming you can't just do it like:
$_FILES['pic']['tmp_name'] = str_replace(chr(0), '', $_FILES['pic']['tmp_name']);
As mentioned in comments, PHP is no longer generally vulnerable to this attack. Attempts to open files with names containing null bytes will now fail, instead of opening an unexpected file.
Even in versions of PHP that were vulnerable to this attack, no filtering was necessary for uploaded files. The temporary file name used for uploaded files is generated internally by PHP, and will not contain null bytes or any other "surprising" special characters such as spaces.