Fresh pair of eyes is often a bonus on this, as is looking at something else for a while and coming back to a problem later. Good spot, though, I was about to start on about whether re-using the $query variable name would cause issues.
Password treatment is a little off topic given the OP’s original question but of sufficient importance that I thought this warranted a reply.
It’s correct to say that the password should not be stored in plain text. Absolutely true.
However, passwords should be salted. They should also be hashed and definitely not encrypted. The difference is subtle but important since encryption implies decryptability.
Fortunately we have an excellent solution with the password functions provided by the lang itself
password_hash() and password_verify() et al
Anthony Ferara also provides a compatible library for those not yet on PHP5.5