To successfully exploit this vulnerability, you need to be able to inject some code such that the resulting SQL statement will return something that will pass the later test:

$_POST["username"] == $row[1] && $_POST["password"] == $row[2]

So the second column needs to be equal to the submitted username and the third row needs to be equal to the submitted password.

Now as the injection happens with the submitted username, you have a problem.

Because you cannot supply a username that fulfills both the inject some data into the result set aspect and the inject a value for the username that is identical to the injected code that injects a value for the username aspect.

The former is quite easy (assuming three columns in user):

username := '" UNION SELECT 1, "admin", "' password := ''

This results in:

SELECT * FROM user WHERE username = "" UNION SELECT 1, "admin", ""

However, the $_POST["username"] == $row[1] part remains unresolvable as you would need to make the second SELECT return the submitted username as username column value. And that’s just not possible.