This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
Unlike a prepared statement, which has to be known ahead of time, a statement can take any string and try to execute it as a SQL statement. This is useful for programs that build SQL statement on the fly or that have to execute accept statements passed to it from other programs or components.
It should go without saying that this can be dangerous thing in certain environments (you originally asked this question in the servlets forum), if your code accepts SQL strings (or pieces of SQL Strings) from untrusted clients.