thank you both. I have cleaned it up a bit, and it works great.
added exit to all headers and cleaned up my doubled code. also, 'safe' = mysqli_real_escape_string. but I don't need to apply that to $_POST['password']?
only thing I'm confused about is this:
"With remember me, you need to set a token in the cookie and in the database (similar to a password check), and check these are equal, otherwise someone can just send a cookie with anybody's username in it and get access to their account."
my remember me is working now, but I guess I still need to do this.
do I just add a column to my users table and adjust that column according to whether or not they have selected remember me? I guess I also need to modify my setcookie somehow? currently it is like this:
setcookie("loggedin", $username, time()+3600*24*365);