You're making a couple of monsterous mistakes in your design. The first of which is storing user passwords in clear text in your database.
The second mistake is using string concatenation to build your SQL query.
Think about this one: What if a user typed
whocares; DROP TABLE UserAccount; --
into the Username box?? I'll give you a hint: You'd be terminated on the spot. Don't think it'll happen?? Think again. It only has to happen once.
Read
these[
^] and
these[
^].