First point, do not use string concatenation to create SQL statements, it leaves your system vulnerable to SQL injection. Use parameterised queries always.
Second point, do not store passwords in clear text, use salted hash values always. See
Secure Password Authentication Explained Simply[
^]
Third point, passwords should match exactly, so if uppercase letters are part of it, they must still be uppercase to login.