I think I suggested when you asked a simmilar question in a another post - if you want to build a SQL statement why not use a PreparedStatement? That way you don't even need to know what data type the column is, setObject will do the bulk of the work for you. You'll need to watch for nulls, but that is easy, right?
...again I'm not sure I see what the issue is. You have some sort of meta data (which you are holding in an ArrayList) and you have the table name. That's all you need to build a valid PreparedStatement. Statements (particularaly built up from a web application) are a security hole. If I could use a PreparedStatement over a Statement I would.