Putting aside that the query tag shouldn't really be used outside of prototyping, you should be using the <sql:param> tag to bind the cat variable, so using it as a PreparedStatement.
At the moment you have something that is prone to SQL injection.
Sometimes you feel like a nut. Sometimes you feel like a tiny ad.
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps