Don't do it that way!
For example, if I tried to log in to your system with the user name
Hello';DROP TABLES dbo.ei_employee;--
What do you think would happen?
Or, I could just log in without giving you a password, if I wanted to.
1) Don't concatenate strings: use Parametrized queries instead. Or you will lose your database. Probably to your best mate "for a laugh".
cmd = New SqlCommand("Select * from dbo.ei_employee where code = @NM AND password = @PW", con)
cmd.Parameters.AddWithValue("@NM", user_name.Text)
cmd.Parameters.AddWithValue("@PW", password.Text)
sdr = cmd.ExecuteReader()
2) Don't store passwords in clear text! There is a description here which may help:
Password Storage: How to do it.[