Trying to use escape string but it doesnt allow me to login

General PHP Help
#1 
<?php
//start session 
session_start();
if (@$_SESSION[$_SERVER['HTTP_HOST'].'_Admin'] == 1) { 
  header('Location: dashboard.php');
} 
error_reporting(0);
$title = "login";
$processMsg = '';
require_once '../includes/conf.php';
$username = isset($_POST['username'])?trim($_POST['username']):'';


if (trim($username) != '') {
$password = mysql_real_escape_string($_POST['password']);
$username = mysql_real_escape_string($_POST['username']);


//$query = "SELECT * FROM ".PRE."_admin WHERE `username`= ' " .mysql_real_escape_string( $_GET['username'] ). " ' AND 

`password`= ' " .mysql_real_escape_string( $_GET['password'] ). " ' "; 

$query = "SELECT * FROM ".PRE."_admin WHERE 'username' = '$username' AND password = '$password'";
$result = $dbConnect->query($query);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();









require_once '../includes/classes/functions.php';

$_SESSION['admin'] = ($row['level'] == 'Super Admin')?true:false;
 
$_SESSION[$_SERVER['HTTP_HOST'].'_Admin'] = 1;
$_SESSION['username'] = $_POST['username'];
fns::redirect('dashboard.php');
    } else {
	$processMsg = '<div align="center" style="color:#CC0000">Incorrect Login Password or Username</div>';
	}
	}
	?>
<html>
<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8">
    <title>Comnavig - Login Page</title>
    <meta content='width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no' name='viewport'>
    <!-- Bootstrap 3.3.2 -->
    <link href="css/bootstrap.min.css" rel="stylesheet" type="text/css" />
    <!-- Font Awesome Icons -->
    <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" 

type="text/css" />
    <!-- Theme style -->
    <link href="css/AdminLTE.min.css" rel="stylesheet" type="text/css" />
    <!-- iCheck -->
    <link href="css/blue.css" rel="stylesheet" type="text/css" />

    <!-- HTML5 Shim and Respond.js IE8 support of HTML5 elements and media queries -->
    <!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
    <!--[if lt IE 9]>
        <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
        <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
    <![endif]-->
  </head>

  <body class="login-page">
    <div class="login-box">
      <div class="login-logo">
        
      </div><!-- /.login-logo -->
      <div class="login-box-body">
        <p class="login-box-msg">Sign in to start your session</p>
        <form action="" method="post">
          <div class="form-group has-feedback">
            <input name="username" type="text" class="form-control" id="Email" placeholder="Email"/>
            <span class="glyphicon glyphicon-envelope form-control-feedback"></span>
          </div>
          <div class="form-group has-feedback">
            <input name="password" type="password" class="form-control" id="password" placeholder="Password"/>
            <span class="glyphicon glyphicon-lock form-control-feedback"></span>
          </div>
          <div class="row">
            <div class="col-xs-8"></div><!-- /.col -->
            <div class="col-xs-4">
              <button type="submit" class="btn btn-primary btn-block btn-flat" name="login">Sign In</button>
            </div><!-- /.col -->
          </div>
        </form><!-- /.social-auth-links -->

        <a href="#">I forgot my password</a><br>

      </div><!-- /.login-box-body -->
    </div><!-- /.login-box -->

    <!-- jQuery 2.1.3 -->
   
  </body>
#2

The posted code is way out of date (the mysql_ functions, being used in the escaping, but not in the actual query, have been removed from php for some time now) and is filled with repetitive, inconsistent, and bad programming. Also, wherever you copy/pasted this from split the commented out sql query, which broke the rest of the code.

Current scripts should -

  1. Use the PDO database extension.
  2. Use a prepared query when supplying external, unknown, dynamic data to the query when it gets executed. Use implicit binding by supplying an array of values to the execute([…]) call.
  3. Use exceptions for database error handling and in most cases let php catch and handle the exceptions.
  4. Detect if a post method form was submitted before using any of the form data.
  5. Operate on the set of form data as an array.
  6. Trim and validate all input data, storing validation errors messages in an array, using the field name as the array index, then use the submitted data if there are no validation errors (the array will be empty.)
  7. Use php’s password_hash() and password_verify() for hashing/testing the password.
  8. Store user data in a user(s) or similar named table, regardless of what type/permissions the user has.
  9. Only store the user’s id in a session variable, then query on each page request to get any other current user information/permissions.
  10. Have an exit/die statement after every header() redirect to stop program execution.
  11. Display ALL php errors when learning, developing, or debugging code/queries and log all php errors when on a live/public server. The php error related settings should be in the php.ini on your system, not in the script.
  12. Don’t use the @ error suppressor, ever.
  13. Produce a valid html document.
  14. Apply htmlentities() to all dynamic values when they are output on a web page.
  15. Leave the action=’’ attribute out of the form tag to cause the form to submit to the same page. An empty action=’’ attribute is not valid html5.
Sponsor our Newsletter | Privacy Policy | Terms of Service