To add to what Tejas says, for your own sake, don't do it like that!
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead.
For example, the way you do it, I do not need any password to log into your system - all I have to do is enter any username, followed by four other characters, and I am logged in. Or, I could extend that, log in (or not log in), and delete your entire database, from anywhere in the world.
Never store passwords in clear text! Have a look here: Password Storage: How to do it.