Parameterized queries are used to protect against SQL Injection vulnerabilities. In your case you would use something like this
Dim qdf As DAO.QueryDef
Set qdf = CurrentDb.CreateQueryDef("", _
"PARAMETERS prmUserName TEXT(255), prmUserPassword TEXT(255);" & _
"SELECT Id, UserName, UserCode FROM UserTable" & _
" WHERE UserName = [prmUserName] AND UserPassword = [prmUserPassword] AND IsInactive=0")
qdf!prmUserName = Me.UserNameTextBox.Value
qdf!prmUserPassword = Me.passwordtextbox.Value
Set rst = qdf.OpenRecordset