Bad code:
SqlCommand command = new SqlCommand("SELECT COUNT(*) FROM Accounts WHERE Login='" + login + "' AND Password='" + password + "'", conn);
Good code:
SqlCommand command = new SqlCommand("SELECT COUNT(*) FROM Accounts WHERE Login=@login AND Password=@password", conn);
SqlParameter param = new SqlParameter("login", SqlDbType.VarChar, 100);
param.Value = login;
command.Parameters.Add(param);
param = new SqlParameter("password", SqlDbType.VarChar, 100);
param.Value = password;
command.Parameters.Add(param);