Don't do it like that! Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
And also, never store passwords in clear text - it is a major security risk. There is some information on how to do it here:
Password Storage: How to do it.[
^] - it's SQL Server based, but it's exactly teh same procedure for MySql.
Finally ... when you try to check if a user is logging in with the right info, it's probably a good idea to look at what the database returns, instead of just ignoring it and assuming they can log in ... you don't get an exception for "no rows returned".