Parameterized SQL Statements

String selectStatement = “SELECT account_balance FROM user_data WHERE user_name = ? “;
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, request.getParameter(“customerName”));
ResultSet rs = prepStmt.executeQuery();