Kanan, Two best practices: 1) Use a PreparedStatement (with a question mark) rather than string appending the option in. This presents SQL injection attacks where someone can execute arbitrary SQL code. 2) Keep SQL code out of a JSP. It really should be in a Java class (called from a servlet not a JSP.)
As for right and wrong, it depends what you want the code to do.