$username = $_POST['username'];
$password = $_POST['password'];
$SQL = "SELECT * FROM members WHERE username = '$username'";
but this does not
$username = $_POST['username'];
$password = $_POST['password'];
$SQL = "SELECT * FROM members WHERE username = '$username' AND password = '$password'";
If you are inspecting inherited code, maybe passwords are encrypted in your database? Take a close look at the output of the sql statement via your database management tool.
DESCRIBE members;
If passwords are 8 chars in length, but DESCRIBE tells you it is 40 characters then it is likely that as passwords are added they are encrypted with SHA1() or something like that.
OR try this:
select password from members where username = 'ENTER A VALID USERNAME HERE'
If passwords are not encrypted, then they really should be.