I think for testing your example, you could ignore the 'bad form'.

But if this will be accessed by other people (especially the public) that might ever have malicious intent then you should...

I think the problem is where you're building your select
SqlDataAdapter da = new SqlDataAdapter("select * from mudiamINC where fname like" + TextBox1.Text + " %", con);
I'm think you need a space...