SqlException was unhandled by user code error during execution

Question

I am making page to display information from table (Like inbox page of any email website). But I am gettting the following error:

Incorrect syntax near the keyword 'to'.

Below is my C# code:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;

public partial class Inbox : System.Web.UI.Page
{
SqlConnection con = new SqlConnection();
SqlCommand cmmd = new SqlCommand();
protected void Page_Load(object sender, EventArgs e)
{
    con.ConnectionString=@"Data Source=(LocalDB)\v11.0;AttachDbFilename=c:\Users\user\documents\visual studio 2012\WebSites\Email\App_Data\Database.mdf;Integrated Security=True";
    con.Open();
    label1.Text = Session["uid"].ToString();

    cmmd.CommandText = "select frm from Inbox where to='" + Session["uid2"].ToString() + "'";
    cmmd.Connection= con;
    SqlDataAdapter daa = new SqlDataAdapter(cmmd);
    DataTable dtt = new DataTable();
    daa.Fill(dtt);

    if(dtt.Rows.Count > 0)
    {
        label2.Text = dtt.Rows[0][3].ToString();
    }

}

}

How to Solve this error?

Answer 1

Use "[to]" instead of just "to". It is problem when you use reserved term for field name.

It should be like this:

cmmd.CommandText = "select [frm] from [Inbox] where [to]='" + Session["uid2"].ToString() + "'";

EDIT:

And yes, for better security and less error-prone code you should use SqlParameter, something like that:

cmmd.CommandText = "select [frm] from [Inbox] where [to]=@SID"
cmmd.Parameters.Add("@SID", SqlDbType.Varchar);
cmmd.Parameters["@SID"].Value = Session["uid"].ToString();;