hi everyone hope you all are in good.
i have query while login form in php with oracle database..... i want to simple login with database
html code:

<p> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
Username:<br /><input type="text" name="username" size="10" /><br />
Password:<br /><input type="password" name="password" size="10" /><br /> <input type="submit" value="Login" /> </form> </p>

php code:

 if (! isset($_SESSION['username'])) {
 if (isset($_POST['username']))
$username = htmlentities($_POST['username']);
$password = htmlentities($_POST['password']);
$conn = oci_connect('user', 'pswrd', 'db')
or die("Can't connect to database server!");

$query = "SELECT username, password FROM users
WHERE username=:username AND password=:password";
   $stmt = oci_parse($conn, $query);
   oci_bind_by_name($stmt, ':username', $username, 8);
oci_bind_by_name($stmt, ':password', $password, 32);
list($username, $password) = oci_fetch_array($stmt, OCI_NUM);
if ($username != "")
$_SESSION['username'] = $username;
echo "You've successfully logged in. ";
   } else {
include "login.html";
} else {
printf("Welcome back, %s!", $_SESSION['username']);

I see on line 15 a basic flaw. You are storing passwords which is a big no no.
Read why at https://www.google.com/search?q=Never+store+passwords+in+a+database

What should you do? Store a hashed, salted version and compare that to the user's hashed, salted result. There are so many priors in PHP that I get the feeling you are not researching.

Research this area and never ever implement what you have above. It's just not done.