The way you have your SQL statement, you are wide open for SQL injection. It should be parameterized as you were optionally shooting for... Put that as your statement.
SELECT * FROM Table WHERE [username]=@parmUserName AND [password]=@parmPassword
Then, add your parameters as you were going for, but you should probably clean them too for sanity purposes. Here, the inbound parameters of username, password are NOT the column names for the query. You are setting these VALUES into the parameter objects.
cmd.Parameters.AddWithValue ( "@parmUserName", username);
cmd.Parameters.AddWithValue ( "@parmPassword", password);