This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Unlike a prepared statement, which has to be known ahead of time, a statement can take any string and try to execute it as a SQL statement. This is useful for programs that build SQL statement on the fly or that have to execute accept statements passed to it from other programs or components.
It should go without saying that this can be dangerous thing in certain environments (you originally asked this question in the servlets forum), if your code accepts SQL strings (or pieces of SQL Strings) from untrusted clients.