The most obvious reason the "query not executed" is that you don't show the actual call to ExecuteReader, or DataAdapter.Fill - I will assume that you have one or the other in there though.
Why are you casting password? Why are you storing them as text? Even using parameterized queries, that is not a good idea for security reasons. See here: Password Storage: How to do it.
Once you have converted your passwords to a secure form, do a simpler query that returns the user_id and the password given only the username - then verify the password in the code behind instead of as part of the query. That way, the password you expect to be valid never leaves teh server, and you have much better control over what goes on.