conside the following query which is executed using Stament stmt..
sqlcom = "select count(*) from bloodbanks where ucase(city) = '" + city.toUpperCase() + "'";

if (!pin.equals(""))
sqlcom = sqlcom + " and pin = '" + pin + "'";

if (!area.equals(""))
sqlcom = sqlcom + " and ( ucase(area) like '" + area.toUpperCase() "%')";

Statement stmt=con.createStatement();
ResultSet rs=stmt.executeQuery(sqlcom);

now how to execute the above using prepared statement.