A Statement object sends queries and updates, as well as receive errors or ResultSets.
Statement is prone to SQL Injection attacks, especially if you use a raw string to write the query.
PreparedStatement is a precompiled SQL statement. It is best used for writing several similar queries in a loop, but will also as a side effect protect against SQL Injections
PreparedStatement ps = myConnection.prepareStatement("UPDATE ANIMALS SET name=? WHERE id=?");
ps.setString(1, "Hippo");
ps.setInt(2, 7);
ps.executeQuery();
CallableStatement execute stored procedures and can return 1 or many ResultSets.
CallableStatement cs = myConnection.prepareCall("{CALL BIRTHDAY_SP(?, ?)}");
cs.setInt(1, aid);
cs.setInt(2, yta);
cs.execute();