:sigh:
The number of problems here is really quite amazing: you should think yourself lucky that it doesn't compile - because if this got out into the "real world" your chances of a Christmas bonus this year would be unbelievably small.
Let's start the the Big One: SQL Injection.
When you leave yourself open to SQL Injection on your login page for a website, you let anyone, anywhere in the world, do anything they like to your database without even having to log in. And I'm serious: that code lets me log in as you without knowing your password, change your password so I know it and you don't, or just delete your entire database. All without logging in.
Never, ever, concatenate strings to form an SQL command. Always use parametrized queries, or someone will come along, and take advantage of it...
Then there is the second big one: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here:
Password Storage: How to do it.[
^]
Third, why are you reinventing the wheel and trying to implement website login yourself? Use the built in facilities, and you don't leave the erst of your site wide open as well... Start here:
Introduction to membership[
^]
And then you should find all your other problems starting to melt away...