What potential pitfalls should be considered when manipulating strings in PHP?

One potential pitfall when manipulating strings in PHP is not properly sanitizing user input, which can lead to security vulnerabilities such as SQL injection or cross-site scripting attacks. To mitigate this risk, always use functions like `htmlspecialchars()` or `mysqli_real_escape_string()` to sanitize user input before manipulating it.

// Example of sanitizing user input using htmlspecialchars()
$user_input = "<script>alert('XSS attack!');</script>";
$sanitized_input = htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
echo $sanitized_input;