Rather than creating your new form inside your login method, keep your login method purely for validating the user then create the form based on its return value:
private void button1_Click(object sender, EventArgs e)
bool Validated = login(txt_username.Text, txt_password.Text);
//notify user of invalid credentials
public Boolean login(string user,string pass)
SqlConnection con = new SqlConnection("Data Source=SNSS1\\SQLEXPRESS;Initial Catalog=Employee;User ID=sa;Password=eLog!234");
SqlCommand cmd=new SqlCommand ("select * from Tbl_password where UserName='"+user+"' and Password='"+pass+"'",con);
SqlDataReader dr = cmd.ExecuteReader();
if ((dr["UserName"].ToString() == user) && (dr["Password"].ToString() == pass))
You may also want to reconsider the while(dr.Read()) section. If you call dr.Read() when no records have been returned you will throw an exception. Take a look at the dr.HasRows property and see if you can streamline the logic in that section.
Post your changes and let us know if you get stuck :)
Remember, this type of dynamic SQL query will cause SQL Injection vulnerability for your application. Use parametrized queries instead of appending the SQL string.
change SQL to,
select * from Tbl_password where UserName=@userName and Password=@password
Instead of selecting user name and password from table, change the sql query like this:
select count(*) from Tbl_password where UserName=@userName and Password=@password