SHA is not an encryption algorithm - it is a hashing algorithm and the two are very different. Encryption can be reversed to recover the original input, hashing cannot. You can't "decrypt" an SHA1 hash value to get back the original password.
Having said that, it is exactly the right thing to use for a password!
No, seriously: encrypting passwords is insecure,
because the decryption key has to be part of your app to use it - which means you are keeping the key with the data where it is easy to find. As a result, encrypted passwords are about as secure as storing them in plain text!
To use hashed passwords you get the hashed value from the DB and compare it to the hash generated from what the user input. If they match, he entered the right password. If they don't, he didn't. There is some information on how to do it here:
Password Storage: How to do it.[
^]
But you have a bigger, more dangerous and pressing problem: Never concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Always use Parameterized queries instead.
When you concatenate strings, you cause problems because SQL receives commands like:
SELECT * FROM MyTable WHERE StreetAddress = 'Baker's Wood'
The quote the user added terminates the string as far as SQL is concerned and you get problems. But it could be worse. If I come along and type this instead: "x';DROP TABLE MyTable;--" Then SQL receives a very different command:
SELECT * FROM MyTable WHERE StreetAddress = 'x';DROP TABLE MyTable;
Which SQL sees as three separate commands:
SELECT * FROM MyTable WHERE StreetAddress = 'x';
A perfectly valid SELECT
DROP TABLE MyTable;
A perfectly valid "delete the table" command
And everything else is a comment.
So it does: selects any matching rows, deletes the table from the DB, and ignores anything else.
So ALWAYS use parameterized queries! Or be prepared to restore your DB from backup frequently. You do take backups regularly, don't you?
You need to go through your whole app and fix everywhere you do that - leave one, and your DB is at risk. And doing it on a login page? That's not just leaving your front door unlocked, that's handing the burglars the keys on your way out and telling them the alarm code...