This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
Yes. A prepared statement uses binding variables ("?"). The database driver escapes the strings passed to those variables. That way someone can't change your query to a different or destructive one. Search for "sql injection" for some examples.
There's also the benefit that you don't have to write code which escapes quotes according to the rules of your specific database, and you don't need to write code which formats dates and timestamps according to those rules either.