1.) Do not write database connection code in JSPs. Use a normal Java class (DAO) that you call from a servlet.
2.) Always close resultselts, statements and connections in a finally block.
3.) Use a PreparedStatement for passing parameters to your query. That will prevent SQL injection and fix the SQL syntax error you are getting.
E. is not steering you wrong -- you should not be putting any Java code in a JSP. That is a bad bad practice from long long ago. Modern JSP pages (that is, anything written in the past 12 years) should be free of Java code.