before you do anything
, you first need to rewrite the whole code and introduce basic security measures. Currently, you have no security whatsoever. Anybody could use this piece of code to capture your whole server. Seriously.
As a more "harmless" example, anybody can log in as an admin by simply POSTing this:
pword: '' or username = 'admin'
Since you insert the values directly into your query, I can inject SQL commands to manipulate the query and change it into this:
select username, password from login where username = '' and password = '' or username = 'admin'
(leaving aside the fact that your code doesn't even run due to various typos and syntax errors)
Read The 6 worst security sins
and then rewrite the code.
Since you said that this is an assignment(?), you may not find it important to secure your code. But it's especially
important in an assignment, because it shows whether or not you're able to write proper code. If I were your teacher/professor and you gave me this piece of code, I think we'd have a serious talk.