The problem is this line of code:
SqlCommand cmd = new SqlCommand("select * FROM UsersTbl WHERE UserName =" + userName, connToDB);
If you read the lines after it you add a parameter named @UserName but you never use it. Your code should be
SqlCommand cmd = new SqlCommand("select * FROM UsersTbl WHERE UserName = @UserName", connToDB);
Also the way you have it will allow you to be hacked by SQL injection. Always use parameterized queries.