Please, whatever you do, don't put commas in the bind variable values.
The structure of the SQL should be constant. Any RDBMS that caches and reuses SQL and execution plans won't recognise this as reusable sql (also I am dubious whether this is even legal).
Secondly, I don't think its a good idea to use strings for non-string values.
You are forcing the database to do an implicit type conversion if the column is actually numeric.
In Oracle if there is an index on such a numeric column, you will likely disable use of the index because of the type conversion.
Thirdly there seems to be some confusion between Statement and PreparedStatement. Your very first code example used a Statement, but the topic title says PreparedStatement. To use bind variables you need to use a PreparedStatement.
What I believe
you should have is