invisal 381 Search and Destroy

* Edit: Sorry about double negative on the title, I don't know how to edit it back

First of all, I am fairly new to Microsoft Access VBA. I created a form with 2 textbox (txtUsername and txtPassword) and one label act as button (I use label instead of button because I want to have flat-looking button with red-background). In that label click event, I wrote:

Dim query As String
'' strSQL is a function to prevent SQL injection
query = "SELECT * FROM tbUser WHERE username='" + strSQL(txtUsername) + "' AND password='" + strSQL(txtPassword) + "'"
Msgbox(query)
Set rs = db.OpenRecordSet(query)
   If rs.RecordCount = 0 Then
         Msgbox("Invalid Username and password")
   End If
rs.Close

Then I run my program. I input "visal" into txtUsername and "12345678" into txtPassword. Then I click on that label. Result is:

SELECT * FROM tbUser WHERE username='visal' AND password='1234678'

Then, when I change txtPassword to "helloworld" then click on that label again. the result is still the same:

SELECT * FROM tbUser WHERE username='visal' AND password='1234678'

When I use the same code with button, not label. It seem to work properly. Any idea how to fix it?