It will be easier for you to find the error if you can see the SQL that your program attempts to run. There are many ways to do this. One is to use the RaiseError option of DBI to "force errors to raise exceptions rather than simply return error codes in the normal way", then use eval to catch the exception and display the SQL and parameters. Something like the following:

#!C:/Perl64/bin/perl.exe 
use strict;
use warnings;
use DBI; 
use CGI; 
 
my $cgi = new CGI; 
 
##Create table using cgi 
$dbh = DBI->connect(
    "dbi:mysql:TestDB",
    'root','zulfi12345', {
        RaiseError  => 1,
    }
) or die "Unable to connect: $DBI::errstr\n"; 
 
my $username   = $cgi->param( 'username' ) || ''; 
my $password   = $cgi->param ('password') || ''; 
my $submit     = $cgi->param( 'submit' ) || ''; 
 
my $sth = $dbh->prepare("

SELECT username, password
FROM users
WHERE
    username = ? and
    password = ?
    
"); 

my @values = ($username, $password);

eval {
    $sth->execute(@values);
};

if($@) {
    die "Execution of\n" . $sth->{Statement} . "\n" .
    "with: @values\n" .
    "failed with: $@\n ";
}


my $found=0; 
while(my $row = $sth->fetchrow_hashref) { 
    $found=1; 
} 

if ($found==1) { 
    print "Welcome";
}
[download]

I have made a few other changes here that you might consider for your own code:

I added use strict; and use warnings;. These are not relevant to your immediate problem but I use them generally and suggest you do too. You can read more about them at Use strict and warnings and elsewhere.

Because I added use strict;, I also added my to declare variables as lexically scoped. There are other ways to conform to the "strict" constraints, but this is an easy one to get started that usually does what I want (and probably you too) and you can learn and use the others as need arises.

I have used Placeholders and Bind Values in the SQL statement. This avoids the need to escape 'special' characters in the values in your SQL. This helps to avoid 'SQL injection', which you should learn about.