One source of interesting exploits has not been mentioned. PHP allows strings to have 0x00 bytes in them. Underlying (libc) functions treat this as the end of a string.
This allows for situations where (poorly implemented) sanity-checking in PHP can be fooled, e.g. in a situation like:
/// note: proof of principle code, don't use
$include = $_GET['file'];
if ( preg_match("/\\.php$/",$include) ) include($include);
This might include any file - not just those ending in .php - by calling script.php?file=somefile%00.php
So any function that will not obey PHP's string length may lead to some vulnerability.
