SQL Injection attack vulnerable login

auth.sql

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (username text, pwd text);
INSERT INTO "users" VALUES('admin','5743abddddfa08c1e3a99fdebc2e8f3f1108fa12dcd2a8f58a42f141418c22ec');
INSERT INTO "users" VALUES('student','5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8');
COMMIT;

index.html

<!doctype html>
<html>
  <head>
    <title>Insecure Login</title>
  </head>
  <body>
    <form action="login.php" method="post">
      <input type="text" name="username" placeholder="username, e.g. admin"></input>
      <input type="password" name="password" placeholder="password"></input>
      <button type="submit">Send form</button>
    </form>
  </body>
</html>

login.php

<?php
   $username = $_REQUEST["username"];
   $pwd = hash('sha256',$_REQUEST["password"]);
   $dbhandle = new PDO("sqlite:auth.db") or die("Failed to open DB");
   if (!$dbhandle) die ($error);
   $statement = $dbhandle->prepare("Select * from users where username='".$username."' and pwd='".$pwd."'");
   $statement->execute();
   $results = $statement->fetch(PDO::FETCH_ASSOC);
   if (isset($results["pwd"])){
       $_SESSION['logged_in'] = true;
       echo "Success!  You are logged in.";
   } else {
       $_SESSION["logged_in"] = false;
       header("Location: index.html"); /* Redirect browser */
       exit();
   }
?>

what sqli is this vulnerable to? I mean what exact command?