How can one ensure the security of PHP forms against potential vulnerabilities?

// Example of input validation and sanitization
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
    $password = filter_var($_POST["password"], FILTER_SANITIZE_STRING);

    // Use prepared statements to prevent SQL injection
    $stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
    $stmt->execute(['username' => $username, 'password' => $password]);

    // CSRF token validation
    if ($_POST["csrf_token"] === $_SESSION["csrf_token"]) {
        // Form submission is valid
    } else {
        // Form submission is invalid
    }
}