I really suggest you either start using PreparedStatement or use proper validation yourself on the request parameters, because right now your site is highly susceptible to SQL injection. What would you do if I would send as value for "tocur" the following (and nothing for "fromcur"):
The full query would become this:
Oops! Both statements will be executed, and because the WHERE clause of the second one is always true it will clear your entire table.