A recent examination of PHP's database driver layer revealed two significant vulnerabilities in PHP Data Objects (PDO) affecting the pdo_firebird and pdo_pgsql drivers. The first vulnerability, CVE-2026-25289, allows SQL injection attacks through NUL byte manipulation in quoted strings, compromising the safety of SQL statements. The second vulnerability, CVE-2026-25290, can cause application crashes due to null pointer dereferencing when invalid multibyte character sequences are processed. Both vulnerabilities stem from assumptions about C string handling and have been addressed in a security release. Researchers recommend treating binary input as untrustworthy and encapsulating financial workflows within atomic transactions.