Well, I think as your function is named as login, you need to have something like $sql: “SELECT password FROM users WHERE username = :username”, then looping over the result and login user if it works.
If you want to get more insights into SQL, check out this SQL Course from Intellipaat.