There are so many things wrong with that approach.
1) You shouldn't report different errors - if you do, it tells the naughty peoiple thjat they have a valid user id, but a bad password.
2) I could bypass your password checking without even trying! And if I can, anyone can! Use parametrized queries, or your database is at risk from an SQL Injection attack which could damage or destroy it.
3) Never store passwords in clear text - it is a major security risk. There is some information on how to do it here:
Password Storage: How to do it.[
^]