I had created a registration page for users to sign up an account and a database to store all information such as username and password. I had also created a login page for users to login after registering an account. How do I link the database so that I will know that the particular user had keyed the correct password.

 protected void Button1_Click(object sender, EventArgs e)
        {

            string username = TextBox1.Text;
            string password = TextBox2.Text;
            SqlConnection connection = null;
            SqlCommand command = null;
            SqlDataReader dataReader = null;
            try
            {
                string connectionString = ConfigurationManager.ConnectionStrings["TestConnectionString"].ConnectionString;
                connection = new SqlConnection(connectionString);
                connection.Open();
                //prepare sql statements
                string sql = "SELECT * from Staff where username='" + username + "'And Password='" + password + "'";
                command = new SqlCommand(sql, connection);
                dataReader = command.ExecuteReader();

                while (dataReader.Read())
                {

                    username = dataReader.GetString(3);
                    Session.Add("username", username);

                }
                dataReader.Close();
            }
            catch (Exception ex)
            {
                Response.Write(ex.Message);
            }

I had also come up with this. Can someone tell me if I'm doing the right thing?

Seems quite o.k. You should not store unencrypted plain text passwords for security reasons. And instead of "SELECT *" better "SELECT username,password" for performance reasons.

But when I tried running in browser, I had this error message - Incorrect syntax near the keyword 'User'