您正在手动在用户名周围添加空格，以使其看起来不存在:

You are manually adding spaces around your username so it will look like it does not exist:

$query = "SELECT * from User WHERE username=' ".$username." ' ";
                                             ^             ^

应该是:

$query = "SELECT * from User WHERE username='".$username."' ";

使用准备好的语句将一劳永逸地避免该问题和潜在的sql注入问题:

Using a prepared statement would avoid that problem and potential sql injection problems in one go:

$query = "SELECT * from User WHERE username=?";

还要确保您始终使用表名和列名:User不一定与user相同.

Also make sure you consistently use your table- and column names: User is not necessarily the same as user.

还要注意，您永远不要在数据库中存储纯文本密码，而应该

Also note that you should never store plain-text passwords in a database, you should salt and hash them.