I presume this is just preliminary test code so I won't insert the usual warning about using ad hoc SQL statements (SQL injection, etc). But that is just one of the problems you face with such constructed SQL. In your example, you would need to use single quotes to surround the username parameter (just as you would do in a SQL statement executed in the SQL IDE.
// string query = "SELECT * FROM [User] WHERE username = ' " + enteredUser + " ' "; // The most correct solution therefore is to use Parameters in tandem with a Stored Procedure.
