What are some common pitfalls to avoid when manipulating strings in PHP?

One common pitfall when manipulating strings in PHP is not properly sanitizing user input, which can lead to security vulnerabilities like SQL injection or cross-site scripting attacks. To avoid this, always use functions like `htmlspecialchars()` or `mysqli_real_escape_string()` to sanitize user input before using it in your code.

// Sanitizing user input using htmlspecialchars()
$userInput = "<script>alert('XSS attack');</script>";
$sanitizedInput = htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
echo $sanitizedInput;