What are common pitfalls when creating a login form in PHP?

One common pitfall when creating a login form in PHP is not properly sanitizing user input, which can leave your application vulnerable to SQL injection attacks. To solve this issue, always use prepared statements when querying the database to prevent SQL injection.

// Using prepared statements to prevent SQL injection
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->execute(['username' => $username, 'password' => $password]);
$user = $stmt->fetch();