diff --git a/ext/date/php_date.c b/ext/date/php_date.c
index 5d2fb5b79b2..a731ddaa9b0 100644
--- a/ext/date/php_date.c
+++ b/ext/date/php_date.c
@@ -2343,7 +2343,7 @@ PHP_FUNCTION(date_create_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 3)
 		Z_PARAM_STRING(format_str, format_str_len)
-		Z_PARAM_STRING(time_str, time_str_len)
+		Z_PARAM_PATH(time_str, time_str_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_OBJECT_OF_CLASS_OR_NULL(timezone_object, date_ce_timezone)
 	ZEND_PARSE_PARAMETERS_END();
@@ -2365,7 +2365,7 @@ PHP_FUNCTION(date_create_immutable_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 3)
 		Z_PARAM_STRING(format_str, format_str_len)
-		Z_PARAM_STRING(time_str, time_str_len)
+		Z_PARAM_PATH(time_str, time_str_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_OBJECT_OF_CLASS_OR_NULL(timezone_object, date_ce_timezone)
 	ZEND_PARSE_PARAMETERS_END();
@@ -2845,7 +2845,7 @@ PHP_FUNCTION(date_parse_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
 		Z_PARAM_STR(format)
-		Z_PARAM_STR(date)
+		Z_PARAM_PATH_STR(date)
 	ZEND_PARSE_PARAMETERS_END();
 
 	parsed_time = timelib_parse_from_format(ZSTR_VAL(format), ZSTR_VAL(date), ZSTR_LEN(date), &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
diff --git a/ext/date/tests/bug72963.phpt b/ext/date/tests/bug72963.phpt
new file mode 100644
index 00000000000..c44b78c6340
--- /dev/null
+++ b/ext/date/tests/bug72963.phpt
@@ -0,0 +1,90 @@
+--TEST--
+Bug #72963 (Null-byte injection in CreateFromFormat and related functions)
+--FILE--
+<?php
+$strings = [
+	'8/8/2016',
+	"8/8/2016\0asf",
+];
+
+foreach ($strings as $string) {
+	$d1 = $d2 = $d3 = NULL;
+	echo "\nCovering string: ", addslashes($string), "\n\n";
+
+	try {
+		$d1 = DateTime::createFromFormat('!m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d2 = DateTimeImmutable::createFromFormat('!m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d3 = date_parse_from_format('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	var_dump($d1, $d2, $d3);
+}
+?>
+--EXPECT--
+Covering string: 8/8/2016
+
+object(DateTime)#1 (3) {
+  ["date"]=>
+  string(26) "2016-08-08 00:00:00.000000"
+  ["timezone_type"]=>
+  int(3)
+  ["timezone"]=>
+  string(3) "UTC"
+}
+object(DateTimeImmutable)#2 (3) {
+  ["date"]=>
+  string(26) "2016-08-08 00:00:00.000000"
+  ["timezone_type"]=>
+  int(3)
+  ["timezone"]=>
+  string(3) "UTC"
+}
+array(12) {
+  ["year"]=>
+  int(2016)
+  ["month"]=>
+  int(8)
+  ["day"]=>
+  int(8)
+  ["hour"]=>
+  bool(false)
+  ["minute"]=>
+  bool(false)
+  ["second"]=>
+  bool(false)
+  ["fraction"]=>
+  bool(false)
+  ["warning_count"]=>
+  int(0)
+  ["warnings"]=>
+  array(0) {
+  }
+  ["error_count"]=>
+  int(0)
+  ["errors"]=>
+  array(0) {
+  }
+  ["is_localtime"]=>
+  bool(false)
+}
+
+Covering string: 8/8/2016\0asf
+
+DateTime::createFromFormat(): Argument #2 ($datetime) must not contain any null bytes
+DateTimeImmutable::createFromFormat(): Argument #2 ($datetime) must not contain any null bytes
+date_parse_from_format(): Argument #2 ($datetime) must not contain any null bytes
+NULL
+NULL
+NULL