Try it like this:
$stmt = $db->prepare("SELECT * FROM login WHERE username=:username AND password=:password");
$stmt->bindValue(":username", $username, PDO::PARAM_STR);
$stmt->bindValue(":password", $password, PDO::PARAM_STR);
$stmt->execute();
You have to create a statement ($stmt
) via $db->prepare("sql")
not a query. Then you can bind params to the prepared statement and execute it.