This week's book giveaway is in the Other Open Source APIs forum. We're giving away four copies of Storm Applied and have Sean Allen, Peter Pathirana & Matthew Jankowski on-line! See this thread for details.
Kanan, Two best practices: 1) Use a PreparedStatement (with a question mark) rather than string appending the option in. This presents SQL injection attacks where someone can execute arbitrary SQL code. 2) Keep SQL code out of a JSP. It really should be in a Java class (called from a servlet not a JSP.)
As for right and wrong, it depends what you want the code to do.