How to prevent null bytes from being passed to Bcrypt (password_hash)?

I have a script that creates a secure token for browser login remember-me like so: