I'm learning how to save my project from attackers, so I have a question.
I have a form with
Array([username] => X, [password] => Y)
An attacker cannot "escape" a PHP array, because the contents of the array are not executed as code. It may contain a string of PHP, but that string is not executed.
What may be insecure is how your PHP code handles the user input later on.
Alternatively, if you are putting the data into a database without escaping it, the user could enter their own SQL commands (for more info look up SQL Injection). To prevent this in PHP, use something like PDO with prepared statements.