What are the potential pitfalls of using $_POST variables in PHP forms?

Potential pitfalls of using $_POST variables in PHP forms include susceptibility to SQL injection attacks and cross-site scripting (XSS) attacks if the input is not properly sanitized or validated. To mitigate these risks, it is important to use prepared statements for database queries and sanitize user input before processing it.

// Example of using prepared statements to prevent SQL injection
$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->bindParam(':username', $_POST['username']);
$stmt->execute();
```

```php
// Example of sanitizing user input to prevent XSS attacks
$username = htmlspecialchars($_POST['username']);