This week's book giveaway is in the Agile and Other Processes forum. We're giving away four copies of The Journey To Enterprise Agility and have Daryl Kulak & Hong Li on-line! See this thread for details.
I agree with the responses above there are many ways a SQL statement can be invalid as well as giving a users access to execute raw SQL statements can be destructive to your database.
if you must go this route. I would suggest you provide a series of drop down lists where you have more control on what the users can query i.e. table, columns and only queries of the database, no insert or updates if possible.
Updates and Inserts can be handled by another JSP (form) page where the user will enter information to be added to the database.
Once the users make their selections you will put everything together and build the SQL statement behind the scenes.