Prepared statement - use binding

DON'T: Never concatenate values - DO: use binding instead. Besides helping to reduce security concerns with SQL injection, concatenation results in reparsing of SQL statements by the database. You could also lose the benefits of any PreparedStatement caching by the jdbc drivers.