1. You do not have a WHERE clause on your SQL statement. You are using one in the subquery but you need to also put one on the main query or else you get all records.
2. Never use string concatenation like this for parameters. I could steal your data with the code you have written using SQL injection techniques. Instead use parameterized statements, like this:
string SQL = "SELECT * FROM table1 WHERE field1 = @userName";
...
cmd.CommandText = SQL;
...
cmd.Parameters.AddWithValue("@userName", lbl_upname.Text);
...