This week's book giveaway is in the General Computing forum. We're giving away four copies of Arduino in Action and have Martin Evans, Joshua Noble, and Jordan Hochenbaum on-line! See this thread for details.
You can use a PreparedStatement.
See Java JDBC Tutorial You put a '?' in your sql statement where the variable has to be places.
You later on bind the variable by calling a PreparedStatement.setXXX() method.