1. This is a dangerous way to code. It's exposed to sql injection. Please use parameters instead of concatenating code. For example:
query = "SELECT ... FROM ... WHERE Flat = @Flat";
...
com.Parameters.AddWithValue("@Flat", Request.QueryString["fnum"]);
2. You are only passing in 1 condition in your WHERE clause but you said you had a problem with 3.
3. Write your query in Sql Management Studio first and get it working there. Then you can easily put it into C#.
4. I would also recommend instead of using the inline sql that you write a stored procedure and call it instead.