bug bypass admin

<?php
  $message = "";
  if(isset($_POST['submit'])){
     $username= ($_POST[username]);
     $password = md5($_POST['password']);
    $query = "SELECT * FROM admin WHERE username = '$username' and password = '$password' and usertype = '1'";
     $query_result = mysqli_query($con, $query);
     if(mysqli_num_rows($query_result)){
        $row = mysqli_fetch_assoc($query_result);
        $_SESSION['admin_id'] = $row['id'];
        $_SESSION['username'] = $row['username'];
        header("location: index.php");
     }else{
       $message = "Username and password is not matched.";
     }
  }
?>