What are some common security risks associated with handling user input in PHP, as seen in the provided code snippet?

// Original code with SQL injection vulnerability
$user_input = $_POST['username'];
$query = "SELECT * FROM users WHERE username = '$user_input'";
$result = mysqli_query($connection, $query);

// Fixed code using prepared statements
$user_input = $_POST['username'];
$query = "SELECT * FROM users WHERE username = ?";
$stmt = mysqli_prepare($connection, $query);
mysqli_stmt_bind_param($stmt, "s", $user_input);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);