There are a lot of security vulnerabilities in your login script. If you are using PDO, you should be using prepared statements where ever you have the WHERE clause or any user input. Using prepared statements doesn’t “magically” protect yourself from SQL Injections, but it will lessen the vulnerabilities.
Database connections should always be at the top of the page. Including session_start().
These errors are telling you that the $_POST or $_REQUEST variables aren’t assigned. You should also use $_POST instead of $_REQUEST because you are getting information that is from a form. Using $_REQUEST will lead to security vulnerabilities because it contains both $_POST and $_GET values and they might not come from the same origin.
Next, you need to rename 'xxxxxxxxxxxxxx` as your actual database.
Now, looking at your index file, I see there are a lot of security problems. You’re using MD5 for the password, MD5 isn’t a password algorithm and isn’t intended to be one. You should use PHP’s default password_hash.
When looking to see if the account exist, don’t compare both email and password together. You should compare to see if the email exists. If it exists, then pull up the password from the selected email. From there, use the password_verify function to check if the user submitted password is the same as the one that you just pulled. This should all be done through a different set of files since redirecting to the same file multiple times could cause an infinite loop.
Then there are more. Don’t use if(isset($_POST['submit'])), if(isset($_POST['btn'])), if(isset($_POST)), .etc. All of these are amateur hacks that are from tutorials that are from the 90’s. The proper way to check if the form was submitted is by using if($_SERVER['REQUEST_METHOD'] == 'POST'). And don’t let anyone else tell you otherwise. People who support if(isset($_POST['submit'])), if(isset($_POST['btn])), if(isset($_POST)), .etc are the people who want to keep legacy codes a live.
Simple doesn’t always mean secure and not hackable.