why is the code below is not working?

$sql = "SELECT password, fullname, active FROM ".$mysql_table."";
   $sql = $sql . "WHERE username = :username, password = :password";
   $statement = $pdo->prepare($sql);
   $statement->bindValue(':username', $_POST['username']);
   $statement->bindValue(':password', md5($_POST['password']));
   $statement->execute();

solved it with

$sql = "SELECT password, fullname, active FROM ".$mysql_table." WHERE username = :username AND password = :password";
   $statement = $pdo->prepare($sql);
   $statement->bindValue(':username', $_POST['username']);
   $statement->bindValue(':password', md5($_POST['password']));
   $statement->execute();

Wasn't working because your "WHERE" got glued right onto the name of your table so it seems :).