You have forgetten to put a close bracket after
VALUES ends.
Check this-
SqlCommand cmd = new SqlCommand("INSERT INTO user1 (username, password) VALUES ('" + textBox1.Text + "','" + textBox2.Text + "')", con);
Hope, it helps :)
UPDATE:
As you know this is vulnerable to SQL Injection, spend little time (not more) to convert this to a parameterized query.
SqlCommand cmd = new SqlCommand("INSERT INTO user1 ([username], [password]) VALUES (@username,@password)", con);
cmd.Parameters.AddWithValue(@username,textBox1.Text);
cmd.Parameters.AddWithValue(@password,textBox2.Text);
Reference:
Using Parameterized queries to prevent SQL Injection Attacks in SQL Server[
^]
Hope, you'll consider this update :)